From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft] src: ingress inet support
Date: Wed, 14 Oct 2020 20:47:25 +0200 [thread overview]
Message-ID: <20201014184725.GA17701@salvia> (raw)
In-Reply-To: <f790c9ca-a556-98d7-d371-e073cfbc10e5@netfilter.org>
Hi Arturo,
On Wed, Oct 14, 2020 at 05:54:13PM +0200, Arturo Borrero Gonzalez wrote:
> On 2020-10-13 13:38, Pablo Neira Ayuso wrote:
> > Add support for inet ingress chains.
> >
> > table inet filter {
> > chain ingress {
> > type filter hook ingress device "veth0" priority filter; policy accept;
> > }
> > chain input {
> > type filter hook input priority filter; policy accept;
> > }
> > chain forward {
> > type filter hook forward priority filter; policy accept;
> > }
> > }
>
> This sound interesting, thanks.
>
> I could see some questions coming from users:
>
> * where are the docs on which packet/traffic sees this nft family vs netdev?
> * what are the added benefit of this nft family vs netdev?
See patch update for documentation, let me know if this addresses
these two questions. I can extend it further, let me know.
> * is the netdev family somehow deprecated?
I don't think so. The netdev family is still useful for filter packet
of any possible ethertype that are entering through a given device
(for instance ARP, 802.1q, 802.1ad among others). The only difference
between inet ingress and netdev ingress is that the sets and maps that
are defined in a given inet table can be accessed from the ingress
chain, note that it is not possible to access inet sets and maps from
the netdev ingress chain.
If your ruleset if focused on traffic filtering for IPv4 and IPv6,
then inet ingress should be enough.
The ingress netdev chain also comes with hardware offload support,
which allows you to drop packets from the NIC, which might be useful
in DoS scenarios to save CPU cycles. You only have to check if your
NIC is supported.
next prev parent reply other threads:[~2020-10-14 18:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-13 11:38 [PATCH nft] src: ingress inet support Pablo Neira Ayuso
2020-10-14 15:54 ` Arturo Borrero Gonzalez
2020-10-14 18:47 ` Pablo Neira Ayuso [this message]
2020-10-14 18:48 ` Pablo Neira Ayuso
2020-10-15 9:16 ` Arturo Borrero Gonzalez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201014184725.GA17701@salvia \
--to=pablo@netfilter.org \
--cc=arturo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).