Re: [PATCH 3/7 nft v3] src: add tunnel statement and expression support

[Florian Westphal <fw@strlen.de>]

Hi Fernando

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> On 12/29/25 2:51 PM, Yi Chen wrote:
> > Hello Pablo and Fernando,
> > I have started working on a test script (attached) to exercise this
> > feature, using a geneve tunnel with an egress hook.
> > Please let me know if egress is the correct hook to use in this context.
> > 
> > However, the behavior is not what I expected: the tunnel template does
> > not appear to be attached, and even ARP packets are not being
> > encapsulated.
> > I would appreciate any guidance on what I might be missing, or
> > suggestions on how this test could be improved.
> > Thank you for your time and help.
> > 
> 
> As my patch is taking longer than expected because I am polishing all the
> details related to the tunnel object let me explain it here briefly to
> unblock you.
> 
> The tunnel expression/object is used to attach tunnel metadata into a packet
> so in essence support Lightweight Tunneling (LWT) using Nftables. The LWT
> support is useful on virtualization environments where the users need to
> created a lot of tunnels to interconnect containers that are inside
> different VMs. Instead of creating one interface per container, the idea is
> that the user can create a single one and then attach the metadata as
> needed. Imagine the topology described below.

I'm trying to get Yi's test script to work but I am failing as well.
AFAICS the entire feature doesn't work *by design*.

> +------------------------+                   +------------------------+
> |--------+          VM A |                   | VM B          +--------|
> |Box     | +------+ +---+|(192.168.124.49)   +----+ +------+ |Box     |
> |10.0.0.1|-|vxlan0|-|eth0|-------------------|eth0|-|vxlan0|-|10.0.0.2|
> |--------+ +------+ +---+|  (192.168.124.134)+----+ +------+ +--------|
> |                        |                   |                        |
> |                        |                   |                        |
> +------------------------+                   +------------------------+

How do I read this diagram?
Are these 4 computers or 2?
What is "Box" ? Is that a container inside of VM A / B ?
And if so, how does it connect to VM A?  veth?  The diagram reads like
its a container connected to VM A via a vxlan tunnel...

Which makes no sense to me.

> We want to reach 10.0.0.2 from 10.0.0.1, the nftables ruleset on VM A will
> look like this:
> 
> ```
> table netdev filter_tunnel {
> 	tunnel vxlan_tmpl {
> 		id 100
> 		ip saddr 192.168.124.49
> 		ip daddr 192.168.124.134
> 		dport 8472
> 		ttl 255
> 		vxlan {
> 			gbp 100
> 		}
> 	}
> 
> 	chain redirect_to_tunnel {
> 		type filter hook ingress device "veth_host" priority filter; policy
> accept;
> 		ip daddr 10.0.0.2 tunnel name "vxlan_tmpl" fwd to "vxlan0"
> 	}
> 
> 	chain redirect_from_tunnel {
> 		type filter hook ingress device "vxlan0" priority filter; policy accept;
> 		ip daddr 10.0.0.1 fwd to "veth_host"

How can this work?  I tried to get this to run but *ingress* sees no
packets.  Which is not surprising to me, as packets are *egressing* from
VM A, not coming in.

The only way that I can get it to work is via normal tunnel device +
routes, no nftables rules needed.

Can you make a test script for packetpath?
Or add documentation that explains how to use this feature?

Thanks.