Bjørnar Ness <bjornar.ness@xxxxxxxxx> wrote: > 2016-10-12 8:19 GMT+02:00 Michal Kubecek <mkubecek@xxxxxxx>: > > On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote: > >> > >> Yeah, sortoff. But afaik rpfilter is a iptables module, and not > >> available in nftables yet. > >> > >> Pablo: is the "lookup in routing table from nftables" a total waste of time? > > > > You may be interested in > > > > https://www.youtube.com/watch?v=wfWMPlZHQBk&t=19m40s > > Thanks, Michal, this is interesting, but not exactly what I am looking > for. This fib module > would as far as I can tell follow the routing from rules -> table -> > decision, which will need > both a src and dst address. What I want is to skip the rule matching, > and check directly in > a table, that way we only need a single address, and the following > should potentially work > from prerouting: > > ip saddr rt_table 10 drop > > comments? I don't really understand why you would want this. If you only want to match saddr, why not use ipset (or nftables set) for this? If you want to use the fib, why not use blackhole routes? I'd like to understand why you need this 'rule skip' thing, seems we would have to export some fib internals for this which I'd like to avoid. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
