On 1/11/2019 2:15 AM, Pablo Neira Ayuso wrote:
> On Thu, Jan 10, 2019 at 01:16:08PM +0800, wenxu@xxxxxxxxx wrote:
> [...]
>> +static struct xt_match tunnel_mt_reg __read_mostly = {
>> + .name = "tunnel",
>> + .revision = 0,
>> + .family = NFPROTO_UNSPEC,
>> + .match = tunnel_mt,
>> + .matchsize = sizeof(struct xt_tunnel_mtinfo),
>> + .hooks = ((1 << NF_INET_PRE_ROUTING) |
>> + (1 << NF_INET_POST_ROUTING) |
>> + (1 << NF_INET_LOCAL_OUT) |
>> + (1 << NF_INET_FORWARD)),
> Are you sure this works from the forward chain? This template is
> dropped after the route lookup.
>
> Thanks.
Yes. NF_INET_FORWARD is also used to match the packet goes to tunnel(IP_TUNNEL_INFO_TX type), After route lookup, the packet send to tunnel through lwtunnel-route.
NF_INET_PRE_ROUTING can be used for 'from' tunnel match, The other three hooks can be used for 'to' tunnel match.
