On 10/25/21 8:14 AM, Florian Westphal wrote: > The VRF driver invokes netfilter for output+postrouting hooks so that users > can create rules that check for 'oif $vrf' rather than lower device name. > > This is a problem when NAT rules are configured. > > To avoid any conntrack involvement in round 1, tag skbs as 'untracked' > to prevent conntrack from picking them up. > > This gets cleared before the packet gets handed to the ip stack so > conntrack will be active on the second iteration. > > One remaining issue is that a rule like > > output ... oif $vrfname notrack > > won't propagate to the second round because we can't tell > 'notrack set via ruleset' and 'notrack set by vrf driver' apart. > However, this isn't a regression: the 'notrack' removal happens > instead of unconditional nf_reset_ct(). > I'd also like to avoid leaking more vrf specific conditionals into the > netfilter infra. > > For ingress, conntrack has already been done before the packet makes it > to the vrf driver, with this patch egress does connection tracking with > lower/physical device as well. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > drivers/net/vrf.c | 28 ++++++++++++++++++++++++---- > 1 file changed, 24 insertions(+), 4 deletions(-) > Acked-by: David Ahern <dsahern@xxxxxxxxxx>
