zs@xxxxxxxx <zs@xxxxxxxx> wrote:
> Hello netfilter/nftables developers,
>
> I've encountered a potential bug in nftables behavior when using the `dup` statement in the netdev/ingress hook to modify the destination MAC address. The issue only occurs when a single rule is defined, but works correctly when two identical rules are added.
>
> ### Environment:
> - OS: openEuler 24.03 LTS-SP2
> - Kernel: 6.6.0-98.0.0.103.oe2403sp2.x86_64
> - nftables versions tested: v1.0.8 and v1.1.3
> - Interfaces: gretap10 (ingress hook), output to eth2
>
> ### Steps to Reproduce:
> nft add table netdev mirror_nogre
> nft add chain netdev mirror_nogre ingress \
> '{ type filter hook ingress device "gretap10" priority 0; }'
> nft insert rule netdev mirror_nogre ingress position 0 \
> dup to eth2 ether daddr set BC:24:11:C0:CE:EB
This sets the mac address of the original packet, not the duplicated
one.
> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
This makes a clone and sends it via eth2.
Then it changes the ether daddr of the original packet.
> dup to "eth2" ether daddr set bc:24:11:c0:ce:eb
This makes a clone of the (now modified) original packet and sends it
via eth2, then alters the daddr again (to the same, already altered
value).
