Le 20/06/2025 à 18:04, Eugene Crosser a écrit : > Thanks Nicolas, > > On 20/06/2025 16:56, Nicolas Dichtel wrote: > >>> It is possible, and very useful, to implement "two-stage routing" by >>> installing a route that points to a VRF device: >>> >>> ip link add vrfNNN type vrf table NNN >>> ... >>> ip route add xxxxx/yy dev vrfNNN >>> >>> however this causes surprising behaviour with relation to netfilter >>> hooks. Namely, packets taking such path traverse _output_ nftables >>> chain, with conntracking information reset. So, for example, even >>> when "notrack" has been set in the prerouting chain, conntrack entries >>> will still be created. Script attached below demonstrates this behaviour. >> You can have a look to this commit to better understand this: >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c9c296adfae9 > > I've seen this commit. > My point is that the packets are _not locally generated_ in this case, > so it seems wrong to pass them to the _output_ hook, doesn't it? They are, from the POV of the vrf. The first route sends packets to the vrf device, which acts like a loopback. Regards, Nicolas
