Patrick McHardy <kaber@xxxxxxxxx> wrote: > > main drawback: > > - additional fib lookup to get oif (used as flow key in reverse lookup) > > As discussed during the workshop, we could just perform input routing > in the module to get the oif for free. That would require to take care > of statistics as currently done in ip_rcv_finish() though. Right. Any idea on how to solve the 'struct sk_buff *' (ip_route_input) vs. 'const struct sk_buff *' (matches) problem? We'd have to modify all the match signatures... > > Other issues: > > - can't use FORWARD chain because by the time FORWARD is invoked > > ipv4 forward path may have already sent icmp messages is response > > to to-be-discarded-via-rpfilter packets > > - using it in PREROUTING may do the wrong thing (e.g. when using > > policy routing via mangle PREROUTING) > > Not if you're setting up policy routing keys (marks) before doing > rp_filter, right? Would require using it in the mangle table of > course. Yes that should work as well. It might be unexpected for some people, though (but this is just a documentation issue). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
