From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: fib: avoid lookup if socket is available
Date: Wed, 12 Mar 2025 22:38:31 +0100 [thread overview]
Message-ID: <20250312213831.GB4233@breakpoint.cc> (raw)
In-Reply-To: <Z9HdO_7XgQBbxcg1@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > + switch (nft_hook(pkt)) {
> > + case NF_INET_PRE_ROUTING:
> > + case NF_INET_INGRESS:
>
> Not an issue in your patch itself, it seems nft_fib_validate() was
> never updated to support NF_INET_INGRESS.
Yes, probably better to do that in a different patch.
> > + if (nft_fib_can_skip(pkt)) {
> > + nft_fib_store_result(dest, priv, nft_in(pkt));
> > + return;
> > + }
>
> Silly question: Does this optimization work for all cases?
> NFTA_FIB_F_MARK and NFTA_FIB_F_DADDR.
Its the socket that the skb will be delivered to, so I don't see
an issue. Theoretically you could set a different mark in input,
but what is it good for? Its too late to change routing result.
As this sits in input hook, route lookup done by stack (not by fib
expr) already picked nft_in as the 'right' interface for this daddr.
next prev parent reply other threads:[~2025-03-12 21:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 13:07 [PATCH nf-next] netfilter: fib: avoid lookup if socket is available Florian Westphal
2025-03-12 19:15 ` Pablo Neira Ayuso
2025-03-12 21:38 ` Florian Westphal [this message]
2025-03-12 23:19 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250312213831.GB4233@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).