From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
lschlesinger@drivenets.com, dsahern@kernel.org,
crosser@average.org
Subject: Re: [PATCH v2 net-next 2/2] vrf: run conntrack only in context of lower/physdev for locally generated packets
Date: Tue, 26 Oct 2021 14:36:28 +0200 [thread overview]
Message-ID: <YXf2TJivC1Tp3Tfj@salvia> (raw)
In-Reply-To: <20211025141400.13698-3-fw@strlen.de>
Hi,
One question about this.
On Mon, Oct 25, 2021 at 04:14:00PM +0200, Florian Westphal wrote:
> The VRF driver invokes netfilter for output+postrouting hooks so that users
> can create rules that check for 'oif $vrf' rather than lower device name.
If the motion for these hooks in the driver is to match for 'oif vrf',
now that there is an egress hook, it might make more sense to filter
from there based on the interface rather than adding these hook calls
from the vrf driver?
I wonder if, in the future, it makes sense to entirely disable these
hooks in the vrf driver and rely on egress hook?
next prev parent reply other threads:[~2021-10-26 12:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 14:13 [PATCH v2 net-next 0/2] vrf: rework interaction with netfilter/conntrack Florian Westphal
2021-10-25 14:13 ` [PATCH v2 net-next 1/2] netfilter: conntrack: skip confirmation and nat hooks in postrouting for vrf Florian Westphal
2021-10-25 14:14 ` [PATCH v2 net-next 2/2] vrf: run conntrack only in context of lower/physdev for locally generated packets Florian Westphal
2021-10-25 14:25 ` David Ahern
2021-10-26 12:36 ` Pablo Neira Ayuso [this message]
2021-10-26 12:58 ` Florian Westphal
2021-10-26 13:16 ` Pablo Neira Ayuso
2021-10-26 12:30 ` [PATCH v2 net-next 0/2] vrf: rework interaction with netfilter/conntrack patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YXf2TJivC1Tp3Tfj@salvia \
--to=pablo@netfilter.org \
--cc=crosser@average.org \
--cc=dsahern@kernel.org \
--cc=fw@strlen.de \
--cc=lschlesinger@drivenets.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).