On Mon, Oct 24, 2016 at 04:56:40PM +0200, Florian Westphal wrote: > Add FIB expression, supported for ipv4, ipv6 and inet family (the latter > just dispatches to ipv4 or ipv6 one based on nfproto). > > Currently supports fetching output interface index/name and the > rtm_type associated with an address. > > This can be used for adding path filtering. rtm_type is useful > to e.g. enforce a strong-end host model where packets > are only accepted if daddr is configured on the interface the > packet arrived on. > > The fib expression is a native nftables alternative to the > xtables addrtype and rp_filter matches. > > FIB result order for oif/oifname retrieval is as follows: > - if packet is local (skb has rtable, RTF_LOCAL set, this > will also catch looped-back multicast packets), set oif to > the loopback interface. > - if fib lookup returns an error, or result points to local, > store zero result. This means '--local' option of -m rpfilter > is not supported. It is possible to use 'fib type local' or add > explicit saddr/daddr matching rules to create exceptions if this > is really needed. > - store result in the destination register. > In case of multiple routes, search set for desired oif in case > strict matching is requested. > > ipv4 and ipv6 behave fib expressions are supposed to behave the same. This looks great, applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
