On 10/18/21 12:22 PM, Eugene Crosser wrote:
> This reverts commit 09e856d54bda5f288ef8437a90ab2b9b3eab83d1.
>
> When an interface is enslaved in a VRF, prerouting conntrack hook is
> called twice: once in the context of the original input interface, and
> once in the context of the VRF interface. If no special precausions are
> taken, this leads to creation of two conntrack entries instead of one,
> and breaks SNAT.
>
> Commit above was intended to avoid creation of extra conntrack entries
> when input interface is enslaved in a VRF. It did so by resetting
> conntrack related data associated with the skb when it enters VRF context.
>
> However it breaks netfilter operation. Imagine a use case when conntrack
> zone must be assigned based on the original input interface, rather than
> VRF interface (that would make original interfaces indistinguishable). One
> could create netfilter rules similar to these:
>
> chain rawprerouting {
> type filter hook prerouting priority raw;
> iif realiface1 ct zone set 1 return
> iif realiface2 ct zone set 2 return
> }
>
> This works before the mentioned commit, but not after: zone assignment
> is "forgotten", and any subsequent NAT or filtering that is dependent
> on the conntrack zone does not work.
>
...
>
> Signed-off-by: Eugene Crosser <crosser@xxxxxxxxxxx>
> ---
> drivers/net/vrf.c | 4 ----
> 1 file changed, 4 deletions(-)
>
Acked-by: David Ahern <dsahern@xxxxxxxxxx>
