I am not sure if this is nftables related, but I post this issue here, and see if any of you can come up with a clue to what might be going on. Problem description: When I create multiple tcp connections from the same client to multiple dst hosts at the same time, the n'th syn packet seems to be just discarded by "something". If I reorder the list of dst hosts, a different dst host will hang in SYN_SENT. What I am seeing on the firewall running kernel 4.8.1 is the following: * the syn packet enters through the eth1.700 interface * the packet does _not_ exit through eth1.300 interface as supposed to. * nft trace monitoring shows the packet beeing accepted on eth1.300 in postrouting. * rp_filter etc should not be kicking in here, (and also, "random" hosts are dropped) * conntrack table is not full * this issue seem to suddenly appeared, is this a known bug? -- Bj(/)rnar -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
