* Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook
@ 2025-07-23 6:43 zs
2025-07-23 18:16 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: zs @ 2025-07-23 6:43 UTC (permalink / raw)
To: netfilter-devel
Hello netfilter/nftables developers,
I've encountered a potential bug in nftables behavior when using the `dup` statement in the netdev/ingress hook to modify the destination MAC address. The issue only occurs when a single rule is defined, but works correctly when two identical rules are added.
### Environment:
- OS: openEuler 24.03 LTS-SP2
- Kernel: 6.6.0-98.0.0.103.oe2403sp2.x86_64
- nftables versions tested: v1.0.8 and v1.1.3
- Interfaces: gretap10 (ingress hook), output to eth2
### Steps to Reproduce:
nft add table netdev mirror_nogre
nft add chain netdev mirror_nogre ingress \
'{ type filter hook ingress device "gretap10" priority 0; }'
nft insert rule netdev mirror_nogre ingress position 0 \
dup to eth2 ether daddr set BC:24:11:C0:CE:EB
Observe with:
tcpdump -ni eth2 -e
### Observed Behavior:
- With one rule: MAC address is not modified (remains original)
- With two identical rules: MAC is correctly set to `bc:24:11:c0:ce:eb`
### Expected Behavior:
A single `dup` rule should duplicate and modify the MAC address.
### Ruleset Example (working case with 2 rules):
table netdev mirror_nogre {
chain ingress {
type filter hook ingress device "gretap10" priority filter;
policy accept;
dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
}
}
### Suspected Cause:
There may be a bug in how `dup` and action statements (like `ether daddr set`) are handled in netdev/ingress hook when only one rule exists.
Best regards,
Zhang Sheng
Email: zs@zslab.cn
--------------
zs@zslab.cn
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook
2025-07-23 6:43 Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook zs
@ 2025-07-23 18:16 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2025-07-23 18:16 UTC (permalink / raw)
To: zs@zslab.cn; +Cc: netfilter-devel
zs@zslab.cn <zs@zslab.cn> wrote:
> Hello netfilter/nftables developers,
>
> I've encountered a potential bug in nftables behavior when using the `dup` statement in the netdev/ingress hook to modify the destination MAC address. The issue only occurs when a single rule is defined, but works correctly when two identical rules are added.
>
> ### Environment:
> - OS: openEuler 24.03 LTS-SP2
> - Kernel: 6.6.0-98.0.0.103.oe2403sp2.x86_64
> - nftables versions tested: v1.0.8 and v1.1.3
> - Interfaces: gretap10 (ingress hook), output to eth2
>
> ### Steps to Reproduce:
> nft add table netdev mirror_nogre
> nft add chain netdev mirror_nogre ingress \
> '{ type filter hook ingress device "gretap10" priority 0; }'
> nft insert rule netdev mirror_nogre ingress position 0 \
> dup to eth2 ether daddr set BC:24:11:C0:CE:EB
This sets the mac address of the original packet, not the duplicated
one.
> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
This makes a clone and sends it via eth2.
Then it changes the ether daddr of the original packet.
> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
This makes a clone of the (now modified) original packet and sends it
via eth2, then alters the daddr again (to the same, already altered
value).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-23 18:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-23 6:43 Subject: [nftables] Bug: dup rule fails to modify MAC address on netdev/ingress hook zs
2025-07-23 18:16 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).