Thanks Nicolas, On 20/06/2025 16:56, Nicolas Dichtel wrote: >> It is possible, and very useful, to implement "two-stage routing" by >> installing a route that points to a VRF device: >> >> ip link add vrfNNN type vrf table NNN >> ... >> ip route add xxxxx/yy dev vrfNNN >> >> however this causes surprising behaviour with relation to netfilter >> hooks. Namely, packets taking such path traverse _output_ nftables >> chain, with conntracking information reset. So, for example, even >> when "notrack" has been set in the prerouting chain, conntrack entries >> will still be created. Script attached below demonstrates this behaviour. > You can have a look to this commit to better understand this: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c9c296adfae9 I've seen this commit. My point is that the packets are _not locally generated_ in this case, so it seems wrong to pass them to the _output_ hook, doesn't it? Regards, Eugene
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
