Re: Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: "zs@zslab.cn" <zs@zslab.cn>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook
Date: Wed, 23 Jul 2025 20:16:39 +0200	[thread overview]
Message-ID: <aIEnB7ijcw_-mzjd@strlen.de> (raw)
In-Reply-To: <2025072314434064423510@zslab.cn>

zs@zslab.cn <zs@zslab.cn> wrote:
> Hello netfilter/nftables developers,
> 
> I've encountered a potential bug in nftables behavior when using the `dup` statement in the netdev/ingress hook to modify the destination MAC address. The issue only occurs when a single rule is defined, but works correctly when two identical rules are added.
> 
> ### Environment:
> - OS: openEuler 24.03 LTS-SP2
> - Kernel: 6.6.0-98.0.0.103.oe2403sp2.x86_64
> - nftables versions tested: v1.0.8 and v1.1.3
> - Interfaces: gretap10 (ingress hook), output to eth2
> 
> ### Steps to Reproduce:
> nft add table netdev mirror_nogre
> nft add chain netdev mirror_nogre ingress \
>     '{ type filter hook ingress device "gretap10" priority 0; }'
> nft insert rule netdev mirror_nogre ingress position 0 \
>     dup to eth2 ether daddr set BC:24:11:C0:CE:EB

This sets the mac address of the original packet, not the duplicated
one.

> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb

This makes a clone and sends it via eth2.
Then it changes the ether daddr of the original packet.

> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb

This makes a clone of the (now modified) original packet and sends it
via eth2, then alters the daddr again (to the same, already altered
value).

     prev parent reply	other threads:[~2025-07-23 18:16 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-23  6:43 Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook zs
2025-07-23 18:16 ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aIEnB7ijcw_-mzjd@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=zs@zslab.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.