2016-10-11 22:18 GMT+02:00 Jan Engelhardt <jengelh@xxxxxxx>:
>
> On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>>2016-10-11 20:28 GMT+02:00 Jan Engelhardt <jengelh@xxxxxxx>:
>>> Well you can mark routes with realm numbers, and match on that. (In
>>> iptables, this was done with -m realm.) At least that is the idea. Not
>>> sure if the skb field that holds the information is already
>>> filled in before FORWARD (at which point I guess it will contain the
>>> dst realm anyway).
>>
>>I think you misunderstood what I am looking for here, for example:
>>prerouting:
>>ip saddr route table 10 drop
>
> Assuming you mean "saddr is in {the set of dst addrs in table 10}"
> then it's as I said - basically rpfilter with sort of an extra check
> for the realm number (which you can make the same as the table number).
Yeah, sortoff. But afaik rpfilter is a iptables module, and not
available in nftables yet.
Pablo: is the "lookup in routing table from nftables" a total waste of time?
--
Bj(/)rnar
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
