From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nfnetlink_queue: reroute reinjected packets from postrouting
Date: Mon, 7 Oct 2024 10:30:00 +0200 [thread overview]
Message-ID: <ZwOcCOEADH7bDT3b@calendula> (raw)
In-Reply-To: <CABhP=tYLGfwmAvfU=d78trfxFqgfC05mFEkz=xOv9a8VUkfNDQ@mail.gmail.com>
On Mon, Oct 07, 2024 at 09:14:41AM +0100, Antonio Ojea wrote:
> On Sun, 6 Oct 2024 at 15:44, Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> >
> > >
> > > It could be different scenario. I was expecting consistency in UDP packet
> > > distribution is a requirement, but I understood goal at this stage is
> > > to ensure packets are not dropped while dealing with clash resolution.
> > >
> > > I have applied Florian's patch to nf.git, thanks.
> >
> > Is there a workaround I can apply in the meantime? kernels fixes take
> > a long time to be on users' distros and I have continuous reports
> > about this problem.
> >
> > I was thinking that I can track the tuples in userspace and hold the
> > duplicate for some time, but I'm not sure this will completely solve
> > the problem and I want to consider this as a last resort.
> > Is there any feature in nftables that can help? any ideas/suggestions
> > I can explore?
>
> answering myself and for reference in case someone hits the same
> problem, I just special cased the DNS traffic to be processed only in
> the PREROUTING hook after DNAT and skip it in POSTROUTING, this does
> not seem to trigger the race problem.
I am going to request inclusion of this patch to -stable so you don't
have to carry this workaround in the near future.
prev parent reply other threads:[~2024-10-07 8:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 18:58 [PATCH nf] netfilter: nfnetlink_queue: reroute reinjected packets from postrouting Pablo Neira Ayuso
2024-09-13 6:24 ` Antonio Ojea
2024-09-17 22:01 ` Antonio Ojea
2024-09-18 8:30 ` Pablo Neira Ayuso
2024-09-18 8:42 ` Florian Westphal
2024-09-18 9:51 ` Antonio Ojea
2024-09-18 9:54 ` Florian Westphal
2024-09-18 20:53 ` Pablo Neira Ayuso
2024-09-18 21:42 ` Antonio Ojea
2024-09-19 12:02 ` Pablo Neira Ayuso
2024-10-06 14:44 ` Antonio Ojea
2024-10-07 8:14 ` Antonio Ojea
2024-10-07 8:30 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZwOcCOEADH7bDT3b@calendula \
--to=pablo@netfilter.org \
--cc=antonio.ojea.garcia@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.