From: Florian Westphal <fw@strlen.de>
To: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [RFC nf-next PATCH] netfilter: nft: introduce broute chain type
Date: Wed, 22 Feb 2023 12:37:31 +0100 [thread overview]
Message-ID: <20230222113731.GE12484@breakpoint.cc> (raw)
In-Reply-To: <20230222110337.15951-1-sriram.yagnaraman@est.tech>
Sriram Yagnaraman <sriram.yagnaraman@est.tech> wrote:
> Is there any interest or plan to implement BROUTE chain type for nftables?
I'm not aware of anyone working on broute for nftables.
Not sure a new chain type is good, it seems better to implement it via
a new expression.
> We have a situation when a network interface that is part of a bridge is
> used to receive PTP and/or EAPOL packets. Userspace daemons that use
> AF_PACKET to capture specific ether types do not receive the packets,
> and they are instead bridged. We are currently still using etables -t
> broute to send packets packets up the stack. This functionality seems to
> be missing in nftables. Below you can find a proposal that could be used,
> of course there is some work to introduce the chain type and a default
> priority in nftables userspace tool.
Can't you just override the destination mac to point to the bridge
device itself?
> I could see there are other users asking for BROUTE:
> [1]: https://bugzilla.netfilter.org/show_bug.cgi?id=1316
> [2]: https://lore.kernel.org/netfilter-devel/20191024114653.GU25052@breakpoint.cc/
> [3]: https://marc.info/?l=netfilter&m=154807010116514
>
> broute chain type is just a copy from etables -t broute implementation.
> NF_DROP: skb is routed instead of bridged, and mapped to NF_ACCEPT.
> All other verdicts are returned as it is.
>
> Please advise if there are better ways to solve this instead of using
> the br_netfilter_broute flag.
The br_netfilter_broute flag is required, but I don't like a new chain
type for this, nor keeping the drop/accept override.
I'd add a new "broute" expression that sets the flag in the skb cb
and sets NF_ACCEPT, useable in bridge family -- I think that this would
be much more readable.
As this expression would be very small I'd make it builtin if nftables
bridge support is enabled.
next prev parent reply other threads:[~2023-02-22 11:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-22 11:03 [RFC nf-next PATCH] netfilter: nft: introduce broute chain type Sriram Yagnaraman
2023-02-22 11:37 ` Florian Westphal [this message]
2023-02-22 11:49 ` Florian Westphal
2023-02-22 16:37 ` Sriram Yagnaraman
2023-02-23 9:06 ` Pablo Neira Ayuso
2023-02-22 16:36 ` Sriram Yagnaraman
2023-02-22 22:17 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230222113731.GE12484@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sriram.yagnaraman@est.tech \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.