On Wed, Feb 05, 2014 at 12:49:01PM +0100, Arturo Borrero Gonzalez wrote:
> On 5 February 2014 12:17, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >>
> >> I guess an NFPROTO_INET specific reject module that dispatches to
> >> the IPv4 and IPv6 versions is the only possibility unless we want
> >> to add restrictions (which I don't).
> >
> > I think that, once the infrastructure to provide expressions per
> > family in place, a specific reject for inet is a good idea. It can
> > reply depending on the packet family that it sees at _eval(...). I
> > don't have any better idea on how to handle this case.
>
> Just wondering if this idea could be reused to allow nft_payload to
> fetch ip src/dst in a family independent way, so we can have dual
> stacked rules of this kind:
>
> nft add rule inet filter input ip daddr www.example.com accept
>
> or maybe:
>
> nft add rule inet filter input ip daddr { 1.1.1.1 : accept , ::1 : accept }
Nope, ip daddr implies meta nfproto == NFPROTO_IPV4. Also we have a length
in the payload instruction. We might be able to do something by mapping
IPv4 addresses into IPv6 address space.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
