Hi Antonio, On Sun, Sep 01, 2024 at 10:02:28PM +0000, Antonio Ojea wrote: > The netfilter race happens when two packets with the same tuple are DNATed > and enqueued with nfqueue in the postrouting hook. > Once one of the packet is reinjected it may be DNATed again to a different > destination, but the conntrack entry remains the same and the return packet > is dropped. maybe this patch is not your last version? I need this chunk for ping ns3 to work: diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh index f754c014baa2..1720a49026a3 100755 --- a/tools/testing/selftests/net/netfilter/nft_queue.sh +++ b/tools/testing/selftests/net/netfilter/nft_queue.sh @@ -495,6 +495,7 @@ EOF ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth2.forwarding=1 > /dev/null load_ruleset "filter" 0 then if I comment out this new test_udp_race (doing so to make sure test still work), then test_queue 10 fails. I think maybe you posted an older incomplete version of this patch? Thanks.
