Re: [PATCH nft] src: Support netdev egress hook

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Oct 27, 2021 at 02:14:42PM +0200, Lukas Wunner wrote:
> On Wed, Oct 27, 2021 at 12:17:15PM +0200, Pablo Neira Ayuso wrote:
> > Hi Lukas,
> > 
> > This is the rebase I'm using here locally for testing, let me know if
> > you have more pending updates on your side.
> 
> I'm using the attached two patches.  The first one moves Python tests
> dup.t and fwd.t to the netdev directory, the second one adds nft egress
> support.
> 
> Phil and Florian noted back in January that the payload dumps should
> contain "oiftype" instead of "iiftype".  That's the only remaining
> issue not yet addressed in the attached patches:
> 
> https://lore.kernel.org/all/20210125133405.GR19605@breakpoint.cc/

See:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20211025134329.1030333-1-pablo@netfilter.org/

to generalize the iftype.

I still have to post a patch to update libnftnl, then update all
dumps to refer to iftype instead of iiftype.

> The difference between the patch you've posted here and the attached ones
> are primarily more extensive docs.  Also, the following two issues are
> not present in my version:
> 
> 
> > +All packets leaving the system are processed by this hook. It is invoked after
> > +layer 3 protocol handlers and after *tc* egress. It can be used for late
>                                  ^^^^^
> 				 before
> 
> > --- a/tests/py/inet/ah.t
> > +++ b/tests/py/inet/ah.t
> > @@ -1,10 +1,12 @@
> >  :input;type filter hook input priority 0
> >  :ingress;type filter hook ingress device lo priority 0
> > +:egress;type filter hook ingress device lo priority 0
>                             ^^^^^^^
> 			    egress

I'll apply these two patches if you are fine with their state.

I'd just would like to have this in the tree for easier testing,
I have to switch over several local branches here, one less makes it
slightly easier for me. And to include this in the next release.

Thanks.