Hi Phil, On Wed, Nov 25, 2020 at 12:23:42PM +0100, Phil Sutter wrote: > Hi Steffen, > > I am working on a ticket complaining about netfilter policy match > missing packets in OUTPUT chain if XFRM interface is being used. > > I don't fully overlook the relevant code path, but it seems like > skb_dest(skb)->xfrm is not yet assigned when the skb is routed towards > XFRM interface and already cleared again (by xfrm_output_one?) before it > makes its way towards the real output interface. NF_INET_POST_ROUTING > hook works though. > > Is this a bug or an expected quirk when using XFRM interface? This is expected behaviour. The xfrm interfaces are plaintext devices, the plaintext packets are routed to the xfrm interface which guarantees transformation. So the lookup that assigns skb_dst(skb)->xfrm happens 'behind' the interface. After transformation, skb_dst(skb)->xfrm will be cleared. So this assignment exists just inside xfrm in that case. Does netfilter match against skb_dst(skb)->xfrm? What is the exact case that does not work?
