On 5 February 2014 12:17, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>>
>> I guess an NFPROTO_INET specific reject module that dispatches to
>> the IPv4 and IPv6 versions is the only possibility unless we want
>> to add restrictions (which I don't).
>
> I think that, once the infrastructure to provide expressions per
> family in place, a specific reject for inet is a good idea. It can
> reply depending on the packet family that it sees at _eval(...). I
> don't have any better idea on how to handle this case.
Just wondering if this idea could be reused to allow nft_payload to
fetch ip src/dst in a family independent way, so we can have dual
stacked rules of this kind:
nft add rule inet filter input ip daddr www.example.com accept
or maybe:
nft add rule inet filter input ip daddr { 1.1.1.1 : accept , ::1 : accept }
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
