On Sun, Mar 15, 2020 at 2:29 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Hello Daniel, > > On Sat, Mar 14, 2020 at 01:12:02AM +0100, Daniel Borkmann wrote: > > On 3/13/20 3:55 PM, Pablo Neira Ayuso wrote: > [...] > > > We have plans to support for NAT64 and NAT46, this is the right spot > > > to do this mangling. There is already support for the tunneling > > > > But why is existing local-out or post-routing hook _not_ sufficient for > > NAT64 given it being IP based? > > Those hooks are not coming at the end of the IP processing. There is > very relevant IP code after those hooks that cannot be bypassed such > as fragmentation, tunneling and neighbour output. Such transformation > needs to happen after the IP processing, exactly from where Lukas is > proposing. > > [...] > > > infrastructure in netfilter from ingress, this spot from egress will > > > allow us to perform the tunneling from here. There is also no way to > > > drop traffic generated by dhclient, this also allow for filtering such > > > locally generated traffic. And many more. Hi, Any chance to continue with this approach? I'm afraid outbound af_packets also could not be filtered without this hook. Thanks.
