On Thu, Sep 12, 2024 at 10:43:57PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > > I.e., if no matching new hook, just unreg, else register new/unregister
> > > old.
> >
> > I can't bind a device to multiple flowtables of the same family, so I
> > can't bind first, then unbind.
>
> I'm dense, why does that not work?
Well, nft_register_flowtable_net_hooks() searches for a same hook in
other flowtables of the same table ("same" as in hook->ops.dev and
hook->ops.pf values match) and returns -EEXIST if found.
Originally this check was added by Pablo:
| commit 32fc71875127498bf99cc648e96400ee0895edf7
| Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
| Date: Mon Feb 26 13:16:04 2018 +0100
|
| netfilter: nf_tables: return EBUSY if device already belongs to flowtable
|
| If the netdevice is already part of a flowtable, return EBUSY. I cannot
| find a valid usecase for having two flowtables bound to the same
| netdevice. We can still have two flowtable where the device set is
| disjoint.
|
| Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
The comment luckily indicates there's no technical reason, so the reg
first approach may fly. Apart from that, I'll try getting rid of this
because it prevents things like ft1(eth0, eth1) && ft2(eth1, eth2) which
seems like a valid use-case to me.
Thanks for questioning the basics here! :)
Cheers, Phil
