wenxu@xxxxxxxxx <wenxu@xxxxxxxxx> wrote: > From: wenxu <wenxu@xxxxxxxxx> > so with this patch userspace can add the 'don't re-do entire ruleset for vrf' policy > itself like the following > > nft add rule firewall rules-all meta l3master true counter accept I wonder if we need to support this also for output interface, and if this should be specific to vrf or not. Example: meta iifl3master exists accept meta oifl3master exists accept or meta iifkind "vrf" accept meta oifkind "vrf" accept (the latter could e.g. place rtnl_op ".kind" in the register) Not sure if that would ever be useful beyond vrf.
