From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Eugene Crosser <crosser@average.org>, netdev@vger.kernel.org
Cc: "netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
David Ahern <dsahern@kernel.org>, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: When routed to VRF, NF _output_ hook is run unexpectedly
Date: Fri, 20 Jun 2025 18:20:08 +0200 [thread overview]
Message-ID: <ed8f88e7-103a-403b-83ed-c40153e9bef0@6wind.com> (raw)
In-Reply-To: <7a4c2457-0eb5-43bc-9fb0-400a7ce045f2@average.org>
Le 20/06/2025 à 18:04, Eugene Crosser a écrit :
> Thanks Nicolas,
>
> On 20/06/2025 16:56, Nicolas Dichtel wrote:
>
>>> It is possible, and very useful, to implement "two-stage routing" by
>>> installing a route that points to a VRF device:
>>>
>>> ip link add vrfNNN type vrf table NNN
>>> ...
>>> ip route add xxxxx/yy dev vrfNNN
>>>
>>> however this causes surprising behaviour with relation to netfilter
>>> hooks. Namely, packets taking such path traverse _output_ nftables
>>> chain, with conntracking information reset. So, for example, even
>>> when "notrack" has been set in the prerouting chain, conntrack entries
>>> will still be created. Script attached below demonstrates this behaviour.
>> You can have a look to this commit to better understand this:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c9c296adfae9
>
> I've seen this commit.
> My point is that the packets are _not locally generated_ in this case,
> so it seems wrong to pass them to the _output_ hook, doesn't it?
They are, from the POV of the vrf. The first route sends packets to the vrf
device, which acts like a loopback.
Regards,
Nicolas
next prev parent reply other threads:[~2025-06-20 16:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-20 13:38 When routed to VRF, NF _output_ hook is run unexpectedly Eugene Crosser
2025-06-20 14:56 ` Nicolas Dichtel
2025-06-20 16:04 ` Eugene Crosser
2025-06-20 16:20 ` Nicolas Dichtel [this message]
2025-06-24 15:27 ` Eugene Crosser
2025-08-06 9:00 ` Nicolas Dichtel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed8f88e7-103a-403b-83ed-c40153e9bef0@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=crosser@average.org \
--cc=dsahern@kernel.org \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).