On Wed, Dec 02, 2020 at 05:57:25PM +0200, Eliezer Croitor wrote: > I have seen a similar "issue" with outgoing traffic generated locally. > From what I understand the diagram: > * https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > Doesn't talk about locally generated traffic.. I am quite sure that it is not true. Take a look at the simplified chart: https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/ OUTPUT chains are specifically for locally generated traffic, not the forwarded traffic. Also see: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks > There is a big difference in the linux kernel routing cache since the time > of the test... My test is fresh. tcpdump output I pasted was created today. > If you want to re-produce this issue you can try to use iperf3 instead of > iperf. > iperf3 -c 224.1.1.1 -u -b 10k I do not use iperf at all. I am using netcat. > Can you create a test lab using netns ? > You can see a fully automated example lab that I wrote at: > https://github.com/elico/mwan-nft-lb-example/blob/main/run-lab.sh > > Or another lab examples can be seen at Vincent blog posts github repository: > https://vincent.bernat.ch/en/blog/2018-route-based-vpn-wireguard I will take a look later to check if those are relevant. -- Marcin Szewczyk http://wodny.org
