On Tue, Sep 10, 2024 at 11:24 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Hi Antonio, > > On Sun, Sep 01, 2024 at 10:02:28PM +0000, Antonio Ojea wrote: > > The netfilter race happens when two packets with the same tuple are DNATed > > and enqueued with nfqueue in the postrouting hook. > > Once one of the packet is reinjected it may be DNATed again to a different > > destination, but the conntrack entry remains the same and the return packet > > is dropped. > > maybe this patch is not your last version? > It is indeed not the last version, I just wanted to share a reproducer of the issue, I've tried to attach it to the bugzilla issue but I couldn't, so I've decided to share it over the mailing list. I'm still learning the development workflows of this community so feel free to guide me and correct me if I'm wrong ... I just replied as HTML before, sorry :( > I need this chunk for ping ns3 to work: > > diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh > index f754c014baa2..1720a49026a3 100755 > --- a/tools/testing/selftests/net/netfilter/nft_queue.sh > +++ b/tools/testing/selftests/net/netfilter/nft_queue.sh > @@ -495,6 +495,7 @@ EOF > ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null > ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null > ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null > +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth2.forwarding=1 > /dev/null > > load_ruleset "filter" 0 > > then if I comment out this new test_udp_race (doing so to make sure > test still work), then test_queue 10 fails. > > I think maybe you posted an older incomplete version of this patch? > > Thanks.
