[Bug 1700] New: Flowtable - Bug on devices deinition
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Aug 22 19:03:14 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1700
Bug ID: 1700
Summary: Flowtable - Bug on devices deinition
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: nicolasfort1988 at gmail.com
--- Kernel and packages ---
Kernel: 6.1.45
vyos at vyos# sudo dpkg -l | grep nft
ii libnftables1:amd64 1.0.8-1 amd64
Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.2.6-1 amd64
Netfilter nftables userspace API library
ii miniupnpd-nftables 2.3.1-1 amd64
UPnP and NAT-PMP daemon for gateway routers - nftables backend
ii nftables 1.0.8-1 amd64
Program to control packet filtering rules by Netfilter project
--- Scenario ---
* Traffic passing through the router through eth3 and eth4
* interfaces eth1 and eth2 are not in use (unplugged)
* While defining flowtable for interfaces eth1 and eth2, I would expect no
OFFLOAD flag in conntrack.
* However, I see OFFLOAD for all udp sessions (1k).
* Also, while defining no interfaces/devices in the flowtable definition, I
still get OFFLOAD (example exposed above).
--- Interface configuration ---
* eth3 and eth4 used for routing
* eth1 and eth2 unpluged:
vyos at picopc# ip a
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group
default qlen 1000
link/ether 00:f0:cb:ef:dd:f8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2f0:cbff:feef:ddf8/64 scope link tentative
valid_lft forever preferred_lft forever
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group
default qlen 1000
link/ether 00:f0:cb:ef:dd:f9 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2f0:cbff:feef:ddf9/64 scope link tentative
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:02:c9:cd:86:7c brd ff:ff:ff:ff:ff:ff
inet 16.0.0.1/8 brd 16.255.255.255 scope global eth3
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fecd:867c/64 scope link
valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:02:c9:cd:86:7d brd ff:ff:ff:ff:ff:ff
inet 15.0.0.1/8 brd 15.255.255.255 scope global eth4
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fecd:867d/64 scope link
valid_lft forever preferred_lft forever
--- ip filter table ---
vyos at vyos# sudo nft list table ip vyos_filter
table ip vyos_filter {
flowtable ft_test03 {
hook ingress priority filter
}
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
ip protocol udp counter packets 1385097903 bytes 2077646854500 flow add
@ft_test03
meta l4proto { tcp, udp } counter packets 2076678808 bytes
3115018212000 accept comment "FWD-filter-10"
}
chain VYOS_INPUT_filter {
type filter hook input priority filter; policy accept;
}
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
}
}
[edit]
--- Contrack output while traffic passing through eth3-eth4 ---
vyos at vyos# sudo conntrack -L | grep -c OFFLOAD
conntrack v1.4.6 (conntrack-tools): 1011 flow entries have been shown.
1000
[edit]
vyos at vyos#
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230822/26d4b0ea/attachment.html>
More information about the netfilter-buglog
mailing list