On Fri, Jun 22, 2018 at 11:45:12AM +0200, Máté Eckl wrote: [...] > > if (skb->protocol != htons(ETH_P_IP)) > > ... break verdict ... > > > which is actually needed for safety reasons. > > This is something that should appear in the eval function right? Also in the kernel for safety reasons. > Isn't it the same as what I added there? This is needed because someone may use the raw kernel netlink interface (not libnftnl / nftables) to generate an incorrect combination such as allow IPv6 to be passed to tproxy in IPV4 mode which may crash the kernel. Well, it may be just result in a packet drop, but better be safe than sorry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
