From: "Bjørnar Ness" <bjornar.ness@gmail.com>
To: Florian Westphal <fw@strlen.de>
Cc: Michal Kubecek <mkubecek@suse.cz>,
Jan Engelhardt <jengelh@inai.de>,
netfilter-devel@vger.kernel.org
Subject: Re: routing table lookup
Date: Fri, 14 Oct 2016 18:48:28 +0200 [thread overview]
Message-ID: <CAJO99T=NxgSu8_J-nK4FQW6yw2b_+KsSwS04chxv93YoTxkoOw@mail.gmail.com> (raw)
In-Reply-To: <20161014114421.GB10404@breakpoint.cc>
2016-10-14 13:44 GMT+02:00 Florian Westphal <fw@strlen.de>:
> Bjørnar Ness <bjornar.ness@gmail.com> wrote:
>>
>> ip saddr rt_table 10 drop
>>
>> comments?
>
> I don't really understand why you would want this.
>
> If you only want to match saddr, why not use ipset (or nftables set) for
> this?
Its hard to populate via routing protocols. RTBH/ Source RTBH is very
convenient, and handles all the details (filtering, timeout etc etc) in routing
daemon (bird in my case). It is ofcorse possible to make a middleware that
listens for updates on a routing table, and propagates them to a set, but
thats what I would want to and could avoid if I was given access to a
"set type" lookup in a spesific table.
> If you want to use the fib, why not use blackhole routes?
Because there is not possible to do saddr based lookups in prerouting,
the only way this is possible is if one enables rp_filter and packet will
the have traveled far inside the kernel already. Also, it is not possible
to send ICMP unreachable for example using rp_filter method
> I'd like to understand why you need this 'rule skip' thing, seems we
> would have to export some fib internals for this which I'd like to
> avoid.
I hope You can see the use of this. And it also probably has other usecases.
Regards,
--
Bj(/)rnar
prev parent reply other threads:[~2016-10-14 16:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-11 18:11 routing table lookup Bjørnar Ness
2016-10-11 18:28 ` Jan Engelhardt
2016-10-11 19:10 ` Bjørnar Ness
2016-10-11 20:18 ` Jan Engelhardt
2016-10-11 22:17 ` Bjørnar Ness
2016-10-12 6:19 ` Michal Kubecek
2016-10-12 15:19 ` Bjørnar Ness
2016-10-14 11:44 ` Florian Westphal
2016-10-14 16:48 ` Bjørnar Ness [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJO99T=NxgSu8_J-nK4FQW6yw2b_+KsSwS04chxv93YoTxkoOw@mail.gmail.com' \
--to=bjornar.ness@gmail.com \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).