On Wed, Oct 10, 2018 at 05:25:47PM +0200, Florian Westphal wrote: > Eyal says: > doesn't the use of nft_pf(pkt) in this context limit the matching of > encapsulated packets to the same family? > > IIUC when an e.g. IPv6-in-IPv4 packet is matched, the nft_pf(pkt) will > be the decapsulated packet family - IPv6 - whereas the state may be > IPv4. So this check would not allow matching the 'underlay' address in > such cases. > > I know this was a limitation in xt_policy. but is this intentional in > this matcher? or is it possible to use state->props.family when > validating the match instead of nft_pf(pkt)? > > Userspace already tells us which address family it expects to match, so > we can just use the real state family rather than the hook family. > so change it as suggested above. Applied, thanks.
