From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: fib: avoid lookup if socket is available
Date: Thu, 13 Mar 2025 00:19:48 +0100 [thread overview]
Message-ID: <Z9IWlD2TO8qRRySD@calendula> (raw)
In-Reply-To: <20250312213831.GB4233@breakpoint.cc>
On Wed, Mar 12, 2025 at 10:38:31PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > + switch (nft_hook(pkt)) {
> > > + case NF_INET_PRE_ROUTING:
> > > + case NF_INET_INGRESS:
> >
> > Not an issue in your patch itself, it seems nft_fib_validate() was
> > never updated to support NF_INET_INGRESS.
>
> Yes, probably better to do that in a different patch.
>
> > > + if (nft_fib_can_skip(pkt)) {
> > > + nft_fib_store_result(dest, priv, nft_in(pkt));
> > > + return;
> > > + }
> >
> > Silly question: Does this optimization work for all cases?
> > NFTA_FIB_F_MARK and NFTA_FIB_F_DADDR.
>
> Its the socket that the skb will be delivered to, so I don't see
> an issue. Theoretically you could set a different mark in input,
> but what is it good for? Its too late to change routing result.
I see, makes no sense to trigger another lookup with the different
mark after the stack already provides a route (no use-case for this).
> As this sits in input hook, route lookup done by stack (not by fib
> expr) already picked nft_in as the 'right' interface for this daddr.
thanks for explaining.
prev parent reply other threads:[~2025-03-12 23:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 13:07 [PATCH nf-next] netfilter: fib: avoid lookup if socket is available Florian Westphal
2025-03-12 19:15 ` Pablo Neira Ayuso
2025-03-12 21:38 ` Florian Westphal
2025-03-12 23:19 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9IWlD2TO8qRRySD@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.