On Tuesday, December 12th, 2023 at 22:56, ye4 yu3 <ye4yu3@xxxxxxxxxxx> wrote: > As you said, I used tcpdump to check the status of the ip packets,The rule to set the port cannot be successfully executed, And i see the ip packet appears to be damaged in the tcpdump (they no longer have source and destination ports). That sounds like a bug (or by design?), maybe netdev tables don't know about L4 ports? > Finally,My some jobs require the use of egress hooks to modify address or port,Do not use prerouting/postrouting hooks because they must have state. Could you explain why the packets should not have state? You can remove the connection tracking entry from a packet with 'notrack', but this must be applied very early in the packet flow. If your intent is to avoid adding the flow to the ct table, egress is too late for that (you would need to add a rule at or before inet prerouting at priority raw). https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation#notrack_-_Bypass_connection_tracking
