On Wed, 18 Sept 2024 at 09:42, Florian Westphal <fw@xxxxxxxxx> wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > Ok, I finally managed to get this tested, and it does not seem to > > > solve the problem, it keeps dnating twice after the packet is enqueued > > > by nfqueue > > > > dnatting twice is required to deal with the conntrack confirmation race. > > Antonio could also try this hack: > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -379,7 +379,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict) > unsigned int ct_verdict = verdict; > > rcu_read_lock(); > - ct_hook = rcu_dereference(nf_ct_hook); > + ct_hook = NULL; > if (ct_hook) > ct_verdict = ct_hook->update(entry->state.net, entry->skb); > rcu_read_unlock(); > > which defers this to the clash resolution logic. > The ct_hook->update infra predates this, I'm not sure we need > it anymore. Awesome, it works perfectly I have these patches in addition to this last one c3d69b2c40bb selftests: netfilter: add reverse-clash resolution test case fd7c45a0aa7a netfilter: conntrack: add clash resolution for reverse collisions 8bb12723d1c4 netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash It works with and without 610cea0d00f8 netfilter: nfnetlink_queue: reroute reinjected packets from postrouting
