Re: [PATCH 1/3 nf-next] nf_tables: add fib expression

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/3 nf-next] nf_tables: add fib expression
Date: Thu, 27 Oct 2016 20:16:55 +0200	[thread overview]
Message-ID: <20161027181655.GA24243@salvia> (raw)
In-Reply-To: <1477321002-14056-2-git-send-email-fw@strlen.de>

On Mon, Oct 24, 2016 at 04:56:40PM +0200, Florian Westphal wrote:
> Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
> just dispatches to ipv4 or ipv6 one based on nfproto).
> 
> Currently supports fetching output interface index/name and the
> rtm_type associated with an address.
> 
> This can be used for adding path filtering. rtm_type is useful
> to e.g. enforce a strong-end host model where packets
> are only accepted if daddr is configured on the interface the
> packet arrived on.
> 
> The fib expression is a native nftables alternative to the
> xtables addrtype and rp_filter matches.
> 
> FIB result order for oif/oifname retrieval is as follows:
>  - if packet is local (skb has rtable, RTF_LOCAL set, this
>    will also catch looped-back multicast packets), set oif to
>    the loopback interface.
>  - if fib lookup returns an error, or result points to local,
>    store zero result.  This means '--local' option of -m rpfilter
>    is not supported. It is possible to use 'fib type local' or add
>    explicit saddr/daddr matching rules to create exceptions if this
>    is really needed.
>  - store result in the destination register.
>    In case of multiple routes, search set for desired oif in case
>    strict matching is requested.
> 
> ipv4 and ipv6 behave fib expressions are supposed to behave the same.

This looks great, applied, thanks Florian.

next prev parent reply	other threads:[~2016-10-27 18:17 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-24 14:56 [PATCH 0/3 various] netfilter: add fib expression Florian Westphal
2016-10-24 14:56 ` [PATCH 1/3 nf-next] nf_tables: " Florian Westphal
2016-10-27 18:16   ` Pablo Neira Ayuso [this message]
2016-10-24 14:56 ` [PATCH 2/3 libnftables] expr: " Florian Westphal
2016-10-24 14:56 ` [PATCH 3/3 nft] src: " Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161027181655.GA24243@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.