On Mon, Oct 07, 2024 at 09:14:41AM +0100, Antonio Ojea wrote: > On Sun, 6 Oct 2024 at 15:44, Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote: > > > > > > > > It could be different scenario. I was expecting consistency in UDP packet > > > distribution is a requirement, but I understood goal at this stage is > > > to ensure packets are not dropped while dealing with clash resolution. > > > > > > I have applied Florian's patch to nf.git, thanks. > > > > Is there a workaround I can apply in the meantime? kernels fixes take > > a long time to be on users' distros and I have continuous reports > > about this problem. > > > > I was thinking that I can track the tuples in userspace and hold the > > duplicate for some time, but I'm not sure this will completely solve > > the problem and I want to consider this as a last resort. > > Is there any feature in nftables that can help? any ideas/suggestions > > I can explore? > > answering myself and for reference in case someone hits the same > problem, I just special cased the DNS traffic to be processed only in > the PREROUTING hook after DNAT and skip it in POSTROUTING, this does > not seem to trigger the race problem. I am going to request inclusion of this patch to -stable so you don't have to carry this workaround in the near future.
