Hello netfilter/nftables developers,
I've encountered a potential bug in nftables behavior when using the `dup` statement in the netdev/ingress hook to modify the destination MAC address. The issue only occurs when a single rule is defined, but works correctly when two identical rules are added.
### Environment:
- OS: openEuler 24.03 LTS-SP2
- Kernel: 6.6.0-98.0.0.103.oe2403sp2.x86_64
- nftables versions tested: v1.0.8 and v1.1.3
- Interfaces: gretap10 (ingress hook), output to eth2
### Steps to Reproduce:
nft add table netdev mirror_nogre
nft add chain netdev mirror_nogre ingress \
'{ type filter hook ingress device "gretap10" priority 0; }'
nft insert rule netdev mirror_nogre ingress position 0 \
dup to eth2 ether daddr set BC:24:11:C0:CE:EB
Observe with:
tcpdump -ni eth2 -e
### Observed Behavior:
- With one rule: MAC address is not modified (remains original)
- With two identical rules: MAC is correctly set to `bc:24:11:c0:ce:eb`
### Expected Behavior:
A single `dup` rule should duplicate and modify the MAC address.
### Ruleset Example (working case with 2 rules):
table netdev mirror_nogre {
chain ingress {
type filter hook ingress device "gretap10" priority filter;
policy accept;
dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
}
}
### Suspected Cause:
There may be a bug in how `dup` and action statements (like `ether daddr set`) are handled in netdev/ingress hook when only one rule exists.
Best regards,
Zhang Sheng
Email: zs@xxxxxxxx
--------------
zs@xxxxxxxx
