On Mon, Sep 12, 2016 at 02:21:07PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Sat, Sep 10, 2016 at 10:01:02PM +0200, Florian Westphal wrote:
> > > Hi.
> > >
> > > Linux has a builtin rp filter for ipv4, but not for ipv6.
> > > xtables has rpfilter match for both ipv4 and ipv6.
> > > nftables currently does not have such a feature.
> > >
> > > Any idea on how specific or generic this should be for nft?
> > >
> > > Current idea is to add 'fib' expression that initially supports
> > > lookup of outinterface index for reply direction, i.e.:
> > >
> > > nft ... fib reply oif ne 0 accept (found something)
> >
> > Probably use 'fib lookup' instead of 'fib reply'?
>
> I was thinking that we might want to support lookup in original
> direction as well at some point, so 'fib original oif' would do
> a route lookup for daddr (fib reply/rpf uses saddr).
Then, I'd suggest:
fib lookup ip daddr
to look up for the route base on the IPv4 destinarion address.
If you include the interface, you can express this through a
concatenation:
fib lookup ip daddr . oif
As you are basically looking for the route based on IPv4 address and
the output interface, so this boils down to:
fib lookup $expr $flags
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
