Re: pvlist does not find all servers in network

[Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov>]

On 1/28/26 7:24 AM, Florian Feldbauer via Tech-talk wrote:

Ok found the issue.

On the MPOD crate controller, nftable is used as firewall, not iptables....

"iptables" has been a compatibility layer on top of nftables for some years now.  As you have found, "iptables" output will only show rules added through this compatibility layer.  However, "nft" will show all rules, so "nft list ruleset" has become my usual starting point for investigation.

The nftables config was:

  chain output {
    type filter hook output priority 0; policy drop;

followed by a list of a few ports/services on UDP and TCP that were allowed.

From the debug output below (e.g. " 2026-01-28T10:33:24.334 Sending 49 bytes 0.0.0.0:38188 -> 192.168.10.1:53857.")

I guess neither the source nor the destination port of the reply are fixed?

Correct.

Which means, I basically have to change the rules to just accept all outbound UDP traffic

Since this is an outbound rule, the UID/GID of the sending process is available.

 (which I do not really see an issue with....it's in a local subnet anyway).

I agree.  Restrictions on outbound traffic are much less common.

...I know about `netstat -p` und normally use `-tulpn`, but:

root@iseg-iCS2-5230317:~# netstat -tulpn
netstat: invalid option -- 'p'
BusyBox v1.24.1 (2025-05-16 07:17:53 UTC) multi-call binary.

Usage: netstat [-ral] [-tuwx] [-en]

Ah, decade old busybox...  Newer versions support "-p".