Daniel <tech@xxxxxxxxxx> wrote:
>
> Le 16/08/2020 à 23:27, Florian Westphal a écrit :
> > Daniel <tech@xxxxxxxxxx> wrote:
> > > Le 16/08/2020 à 20:40, Pablo Neira Ayuso a écrit :
> > > > On Fri, Aug 14, 2020 at 11:26:31PM +0200, Daniel wrote:
> > > > [...]
> > > > > UPDATE: I discover that the traffic I see on interface gretunnel is only the
> > > > > local generated one which is going out with the eth0 ipv6 address. I modify
> > > > > mangle table which now looks like
> > > > >
> > > > > # nft table mangle ip6
> > > > > #
> > > > > $fwtables delete table ip6 mangle 2>/dev/null || true
> > > > > $fwtables add table ip6 mangle 2>/dev/null || true
> > > > > $fwtables add chain ip6 mangle output "{ type nat hook output priority -199
> > > > > ; policy accept ; }"
> > > > Why chain type 'nat' ? Probably you meant to specify here 'mangle'.
> > > > NAT chains only see the first packet of flows.
> > > Because mangle is not accepted.
> > :-)
> >
> > Its 'route'. You need this for output in case you want to re-route the
> > packet if e.g. skb->mark has been altered.
> >
> > Default 'filter' won't do that.
>
> Like this ?
>
> $fwtables add chain ip6 mangle output "{ type route hook output priority
> -199 ; policy accept ; }"
>
> No changes.
Then you have another problem. Make sure that
ip route get $daddr and/or ip route get $daddr mark $MARK
give the expected results, then make sure the ip6 output chain that
serves as 'route' logic marks those packets correctly.
