On Sun, 6 Oct 2024 at 15:44, Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote: > > > > > It could be different scenario. I was expecting consistency in UDP packet > > distribution is a requirement, but I understood goal at this stage is > > to ensure packets are not dropped while dealing with clash resolution. > > > > I have applied Florian's patch to nf.git, thanks. > > Is there a workaround I can apply in the meantime? kernels fixes take > a long time to be on users' distros and I have continuous reports > about this problem. > > I was thinking that I can track the tuples in userspace and hold the > duplicate for some time, but I'm not sure this will completely solve > the problem and I want to consider this as a last resort. > Is there any feature in nftables that can help? any ideas/suggestions > I can explore? answering myself and for reference in case someone hits the same problem, I just special cased the DNS traffic to be processed only in the PREROUTING hook after DNAT and skip it in POSTROUTING, this does not seem to trigger the race problem.
