On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>2016-10-11 20:28 GMT+02:00 Jan Engelhardt <jengelh@xxxxxxx>:
>> Well you can mark routes with realm numbers, and match on that. (In
>> iptables, this was done with -m realm.) At least that is the idea. Not
>> sure if the skb field that holds the information is already
>> filled in before FORWARD (at which point I guess it will contain the
>> dst realm anyway).
>
>I think you misunderstood what I am looking for here, for example:
>prerouting:
>ip saddr route table 10 drop
Assuming you mean "saddr is in {the set of dst addrs in table 10}"
then it's as I said - basically rpfilter with sort of an extra check
for the realm number (which you can make the same as the table number).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
