Hello,
I am trying to match the output interface in a VRF scenario.
Kernel Documentation/networking/vrf.rst says that:
.. [2] Iptables on ingress supports PREROUTING with skb->dev set to the real
ingress device and both INPUT and PREROUTING rules with skb->dev set to
the VRF device. For egress POSTROUTING and OUTPUT rules can be written
using either the VRF device or real egress device.
However my nft rules seem only to see the packet with VRF output interface and not the real device.
Stripped rules:
table ip nat {
chain SRCNAT {
type nat hook postrouting priority srcnat; policy accept;
ip protocol icmp meta nftrace set 1
}
}
# nft monitor
trace id c096ec4e ip nat SRCNAT packet: oif "vrf-lan" ip saddr 192.168.7.1 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 29475 ip length 84 icmp code net-unreachable icmp id 43 icmp sequence 1 @th,64,96 4098567253202410505966391040
Am I supposed to be able to match the real output interface there?
Thank you,
Regards.
--
Daniele Orlandi
