As noted by Felix Dreissig, fib documentation is quite terse, so explain the 'saddr . iif' example with a few more words. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1220 Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- doc/primary-expression.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 6eb9583ac9e9..124193626aa7 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -274,6 +274,12 @@ fib_addrtype # drop packets without a reverse path filter prerouting fib saddr . iif oif missing drop +In this example, 'saddr . iif' lookups up routing information based on the source address and the input interface. +oif picks the output interface index from the routing information. +If no route was found for the source address/input interface combination, the output interface index is zero. +In case the input interface is specified as part of the input key, the output interface index is always the same as the input interface index or zero. +If only 'saddr oif' is given, then oif can be any interface index or zero. + # drop packets to address not configured on ininterface filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop -- 2.21.0