On Sat, Oct 12, 2024 at 04:42:16PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > One question regarding this series.
> >
> > Most spots still rely on EPERM which is the default reason for
> > NF_DROP.
>
> core converts NF_DROP to EPERM if no errno value is set, correct.
>
> > I wonder if it is worth updating all these spots to use NF_DROP_REASON
> > with EPERM. I think patchset becomes smaller if it is only used to
> > provide a better reason than EPERM.
>
> I'm not following, sorry. What do you mean?
>
> This is not about errno. NF_DROP_REASON() calls kfree_skb, so tooling
> can show location other than nf_hook_slow().
Right.
> Or do you mean using a different macro that always sets EPERM?
Maybe remove SKB_DROP_REASON_NETFILTER_DROP from macro, so line is
shorter?
NF_DROP_REASON(pkt->skb, -EPERM)
And add a new macro for br_netfilter NF_BR_DROP_REASON which does not
always sets SKB_DROP_REASON_NETFILTER_DROP? (Pick a better name for
this new macro if you like).
Or you think the existing generic long version of NF_DROP_REASON is
convenient to have?
Thanks
