On Thu, Dec 22, 2016 at 4:56 PM, Tom Hacohen <tom@xxxxxxxxx> wrote: > > > On 22 Dec 2016 12:35, "Florian Westphal" <fw@xxxxxxxxx> wrote: > > Tom Hacohen <tom@xxxxxxxxx> wrote: >> I'm sorry for repeating myself, however I'd like to stress out again, >> that while your workaround fixes an inconsistency between iptables and >> nftables, the scenario itself is caused by the buggy behaviour of >> masquerade with "lo", and that needs to be fixed too. The workaround >> above, and any fixes to that issue will only fix the dropping of the >> packets, but the wrong rewrite will still be there. > > The 'wrong rewrite' also occurs with iptables. > > It doesn't cause connectivity issues because in iptables the nat table > always registers the output hook. > > (I agree that nft masquerade should not cause these connectivity issues, > but I think proper ruleset fix is to use meta iif to restrict masq to > the correct interface(s)). > > > Yes, iptables so misbehaves here. I know you agree about not causing the > connectivity issues, but don't you agree that the wrong rewrite shouldn't > happen? For both iptables and nftables? > > I already use oif to restrict the masquerade, I'm not trying to solve it for > myself, because I already have a working workaround. I'm trying to help > reporting and resolving a bug. > > -- > Tom Resending as plain text. Yes, iptables so misbehaves here. I know you agree about not causing the connectivity issues, but don't you agree that the wrong rewrite shouldn't happen? For both iptables and nftables? I already use oif to restrict the masquerade, I'm not trying to solve it for myself, because I already have a working workaround. I'm trying to help reporting and resolving a bug. -- Tom -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html