Liping Zhang <zlpnobody@xxxxxxx> wrote: > In general, we haven't do routing lookup in PREROUTING hook, so it's > very likely that fib4/6_is_local will not be met. loopback packets retain skb->dst (and thats what this test is about). > Then the *dest will > be set to 0 because we do nothing when the fib result is RTN_LOCAL. Yes. > So if the user want to drop all packets which cannot be routed, > and input the following nft rule: > # nft add rule filter prerouting fib daddr oif eq 0 drop > > Then all the packets which destinate to local will be dropped > incorrectly. but in "saddr oif eq 0 drop" case they really should have no oif, the address should not be considered routeable. Pablo, please don't apply this; I would like to look at this next week. Msybe this needs a check if we're testing daddr or saddr. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
