I'm on kernel 5.3.5 with nftables v0.9.2 using I211-AT NICs.
I set up a very basic routing/NAT setup with masquerade SNAT and DNAT for a single port. With no flowtable, everything works as expected. When the flowtable is enabled, the egress packets for flows associated with the DNAT port (source 172.17.2.128:32400 in the example config below) do not have their source address rewritten by the masquerade rule and are emitted onto enp1s0 with the IP 172.17.2.128 instead of the IP of enp1s0. Regular SNAT/masquerade flows work fine with the flowtable on.
A minimized example is below, let me know if there's any other information I can provide.
Jonathan
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state {established, related} accept
tcp dport 32400 accept
}
chain output {
type filter hook output priority 0; policy accept;
}
flowtable ft {
hook ingress priority 0; devices = {enp1s0, enp2s0};
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol flow add @ft
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority 0;
iif enp1s0 tcp dport 32400 dnat ip to 172.17.2.128
}
chain postrouting {
type nat hook postrouting priority 100;
oif enp1s0 masquerade
}
}
