On Fri, Apr 26, 2019 at 11:55:12AM -0700, Jakub Kicinski wrote:
> On Fri, 26 Apr 2019 20:41:45 +0200, Pablo Neira Ayuso wrote:
> > If netfilter supports for chain definitions like this:
> >
> > table x {
> > chain y {
> > type filter hook ingress devices = { eth0, eth1 } priority 0;
> > }
> > }
> >
> > Then the chain 'y' implicitly becomes the block for the 'eth0' and
> > 'eth1' devices.
>
> Can there be more chains for those devices? Or those will only run y
> from netfilter perspective?
In software, the existing control plane allows you to register as
many chains as you want, that would allow to include 'eth0' and 'eth1'.
However, But I don't have a usecase for this: One single chain should
be enough given that the ingress hook is only used for filtering. We
are inheriting this semantics from iptables, where multiple tables at
different priorities (which specifies the order) make sense, such as
'raw', 'mangle' and so on. At ingress, these don't make sense and a
single chain with priority 0 should be enough.
In case of hardware offload, I think we should just allow one single
chain at ingress with 'eth0' and 'eth1', just like tc does. Just
return EOPNOTSUPP.
