On Mon, Feb 4, 2019 at 5:18 PM Eli Cooper <elicooper@xxxxxxx> wrote: > > On 2019/2/4 21:50, Alin Năstac wrote: > > On Mon, Feb 4, 2019 at 2:46 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > >> > >> On Tue, Jan 22, 2019 at 08:27:22AM +0100, Alin Năstac wrote: > >>> On Tue, Jan 22, 2019 at 6:35 AM Florian Westphal <fw@xxxxxxxxx> wrote: > >>>> > >>>> Eli Cooper <elicooper@xxxxxxx> wrote: > >>>>> AFAICT that's not the case: REDIRECT only rewrites daddr, but oif is > >>>>> left untouched. > >>>> > >>>> Thats correct. For OUTPUT, expected behaviour is that 'route type > >>>> chain' (nftables), respectively mangle OUTPUT -- records the route keys > >>>> before consulting the ruleset and tests them for changes, then, if > >>>> any key has changed (this includes skb->mark), mangle/route chain type > >>>> call *_route_me_harder to re-lookup the route. > >>> > >>> True, but I don't understand why the packet is dropped. Due to daddr > >>> being set to ::1, outgoing interface after ip6_route_me_harder is > >>> called will be loopback anyway, even if you don't impose it through > >>> flowi6_oif. > > I'm not imposing oif to be loopback through flowi6 here. Instead it is > to make sure the original (incorrect) oif is not preserved. For example, > > ip6tables -t nat -A OUTPUT -d example.org -p tcp --dport 80 -j REDIRECT --to 8000 > > In that case the original output interface would be the interface of > the default gateway. If it is preserved, it will be respected after > ip6_route_me_harder(), even with daddr rewrote to ::1. > > >> > >> Still concerns with this, Alin? > > > > Well, I haven't received a response yet, it is unclear to me why this > > commit triggered a packet drop. > > > > Sorry for the laggy response. Actually the packet was not exactly dropped; > Instead it was sent out to the original oif rather than lo. When a packet > with daddr ::1 is sent to the router, it is effectively dropped. I understood the issue now... REDIRECT sets daddr to ::1 and leave oif unchanged, relying on ip6_route_me_harder() to reset oif to loopback. You have no objection from my part, it does not affect the use cases I was trying to fix with my patch.
