Le 20/06/2025 à 15:38, Eugene Crosser a écrit : > Hello! Hello, > > It is possible, and very useful, to implement "two-stage routing" by > installing a route that points to a VRF device: > > ip link add vrfNNN type vrf table NNN > ... > ip route add xxxxx/yy dev vrfNNN > > however this causes surprising behaviour with relation to netfilter > hooks. Namely, packets taking such path traverse _output_ nftables > chain, with conntracking information reset. So, for example, even > when "notrack" has been set in the prerouting chain, conntrack entries > will still be created. Script attached below demonstrates this behaviour. You can have a look to this commit to better understand this: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c9c296adfae9 Regards, Nicolas
