<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Flowtable - Bug on devices deinition"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1700">1700</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Flowtable - Bug on devices deinition
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.0.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>nicolasfort1988@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>--- Kernel and packages ---
Kernel: 6.1.45
vyos@vyos# sudo dpkg -l | grep nft
ii libnftables1:amd64 1.0.8-1 amd64
Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.2.6-1 amd64
Netfilter nftables userspace API library
ii miniupnpd-nftables 2.3.1-1 amd64
UPnP and NAT-PMP daemon for gateway routers - nftables backend
ii nftables 1.0.8-1 amd64
Program to control packet filtering rules by Netfilter project
--- Scenario ---
* Traffic passing through the router through eth3 and eth4
* interfaces eth1 and eth2 are not in use (unplugged)
* While defining flowtable for interfaces eth1 and eth2, I would expect no
OFFLOAD flag in conntrack.
* However, I see OFFLOAD for all udp sessions (1k).
* Also, while defining no interfaces/devices in the flowtable definition, I
still get OFFLOAD (example exposed above).
--- Interface configuration ---
* eth3 and eth4 used for routing
* eth1 and eth2 unpluged:
vyos@picopc# ip a
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group
default qlen 1000
link/ether 00:f0:cb:ef:dd:f8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2f0:cbff:feef:ddf8/64 scope link tentative
valid_lft forever preferred_lft forever
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group
default qlen 1000
link/ether 00:f0:cb:ef:dd:f9 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2f0:cbff:feef:ddf9/64 scope link tentative
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:02:c9:cd:86:7c brd ff:ff:ff:ff:ff:ff
inet 16.0.0.1/8 brd 16.255.255.255 scope global eth3
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fecd:867c/64 scope link
valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:02:c9:cd:86:7d brd ff:ff:ff:ff:ff:ff
inet 15.0.0.1/8 brd 15.255.255.255 scope global eth4
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fecd:867d/64 scope link
valid_lft forever preferred_lft forever
--- ip filter table ---
vyos@vyos# sudo nft list table ip vyos_filter
table ip vyos_filter {
flowtable ft_test03 {
hook ingress priority filter
}
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
ip protocol udp counter packets 1385097903 bytes 2077646854500 flow add
@ft_test03
meta l4proto { tcp, udp } counter packets 2076678808 bytes
3115018212000 accept comment "FWD-filter-10"
}
chain VYOS_INPUT_filter {
type filter hook input priority filter; policy accept;
}
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
}
}
[edit]
--- Contrack output while traffic passing through eth3-eth4 ---
vyos@vyos# sudo conntrack -L | grep -c OFFLOAD
conntrack v1.4.6 (conntrack-tools): 1011 flow entries have been shown.
1000
[edit]
vyos@vyos#</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>