On Tue, Jun 09, 2015 at 11:23:19AM +0200, Patrick McHardy wrote:
> On 08.06, Pablo Neira Ayuso wrote:
[...]
> > Then, the idea would to iterate over the list of netdevs that the user
> > indicates, eg.
> >
> > table netdev ingress {
> > device { eth0, eth1\; }
> >
> > ...
> > }
> >
> > and register the same chain hooks for each device in the list.
> >
> > I can go after this and cook a patch for this. The merge window is
> > still open so we can modify the semantics of the existing netlink
> > NFTA_TABLE_DEV attribute in David's net-next tree.
>
> My idea was to have the base chains bind to a device, then we can
> create shared chains and jump to them from the base chain:
>
> table netdev ingress {
> chain eth0 {
> hook eth0 ingress;
> jump shared_chain;
> }
> chain eth1 {
> hook eth1 ingress;
> jump shared_chain;
> }
> chain shared_chain {
> ...
> }
> }
>
> I think if we treat the table namespace global, than the hook and base
> chain is the natural place to specify the device since this is where
> the packets actually enter.
We can also achieve this sharing with the approach I describe above, I
don't see any limitation on that.
If the user doesn't want to share any set and chain, he creates a
separate table so there's a clear separation between namespaces.
Thus, we don't allow user to make convoluted configurations in
scenarios where he doesn't need to share anything.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
