On 2019/1/15 下午7:17, Florian Westphal wrote: > wenxu@xxxxxxxxx <wenxu@xxxxxxxxx> wrote: >> From: wenxu <wenxu@xxxxxxxxx> >> so with this patch userspace can add the 'don't re-do entire ruleset for vrf' policy >> itself like the following >> >> nft add rule firewall rules-all meta l3master true counter accept > I wonder if we need to support this also for output interface, and if > this should be specific to vrf or not. > > Example: > > meta iifl3master exists accept > meta oifl3master exists accept > or > meta iifkind "vrf" accept > meta oifkind "vrf" accept > > (the latter could e.g. place rtnl_op ".kind" in the register) > > Not sure if that would ever be useful beyond vrf. > yes, iifkind type mus useful for most other cases.
