From: Phil Sutter <phil@nwl.cc>
To: Quentin Armitage <quentin@armitage.org.uk>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: nftables: fix documentation for dup statement
Date: Mon, 31 Aug 2020 18:49:06 +0200 [thread overview]
Message-ID: <20200831164906.GY23632@orbyte.nwl.cc> (raw)
In-Reply-To: <1c9c80c0645a79d93ccecdc7ecceb22e15bba5df.camel@armitage.org.uk>
Hi Quentin,
On Thu, Aug 27, 2020 at 07:59:19PM +0100, Quentin Armitage wrote:
> On Thu, 2020-08-27 at 19:40 +0200, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > Hi,
> > >
> > > On Thu, Aug 27, 2020 at 04:42:00PM +0100, Quentin Armitage wrote:
> > > > The dup statement requires an address, and the device is optional,
> > > > not the other way round.
> > > >
> > > > Signed-off-by: Quentin Armitage <
> > > > quentin@armitage.org.uk
> > > > >
> > > > ---
> > > > doc/statements.txt | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/doc/statements.txt b/doc/statements.txt
> > > > index 9155f286..835db087 100644
> > > > --- a/doc/statements.txt
> > > > +++ b/doc/statements.txt
> > > > @@ -648,7 +648,7 @@ The dup statement is used to duplicate a packet and
> > > > send the
> > > > copy to a different
> > > > destination.
> > > >
> > > > [verse]
> > > > -*dup to* 'device'
> > > > +*dup to* 'address'
> > > > *dup to* 'address' *device* 'device'
> > > >
> > > > .Dup statement values
> > >
> > > The examples are wrong, too. I wonder if this is really just a mistake
> > > and all three examples given (including the "advanced" usage using a
> > > map) are just wrong or if 'dup' actually was meant to support
> > > duplicating to a device in mirror port fashion.
> >
> > Right, 'dup to eth0' can be used in the netdev ingress hook.
> >
> > For dup from ipv4/ipv6 families the address is needed.
>
> So it seems the valid options are:
> *dup to* 'device' # netdev ingress hook only
> *dup to* 'address' # ipv4/ipv6 only
> *dup to* 'address' *device* 'device' # ipv4/ipv6 only
>
> From a user perspective being able to specify "dup to 'device'" is something
> that is useful to be able to specify. I am now using:
> dup to ip[6] daddr device 'device'
> but it seems to me that having to specify "to ip[6] daddr" is unnecessary.
Oh, and that works? From reading nf_dup_ipv4.c, the kernel seems to
perform a route lookup for the packet's daddr on given iface. Did you
add an onlink route or something to make sure that succeeds?
Cheers, Phil
next prev parent reply other threads:[~2020-08-31 16:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 15:42 [PATCH] netfilter: nftables: fix documentation for dup statement Quentin Armitage
2020-08-27 17:02 ` Phil Sutter
2020-08-27 17:40 ` Florian Westphal
2020-08-27 18:59 ` Quentin Armitage
2020-08-31 16:49 ` Phil Sutter [this message]
2020-09-03 8:15 ` Quentin Armitage
2020-08-27 17:55 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200831164906.GY23632@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=quentin@armitage.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.