Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > + switch (nft_hook(pkt)) {
> > + case NF_INET_PRE_ROUTING:
> > + case NF_INET_INGRESS:
>
> Not an issue in your patch itself, it seems nft_fib_validate() was
> never updated to support NF_INET_INGRESS.
Yes, probably better to do that in a different patch.
> > + if (nft_fib_can_skip(pkt)) {
> > + nft_fib_store_result(dest, priv, nft_in(pkt));
> > + return;
> > + }
>
> Silly question: Does this optimization work for all cases?
> NFTA_FIB_F_MARK and NFTA_FIB_F_DADDR.
Its the socket that the skb will be delivered to, so I don't see
an issue. Theoretically you could set a different mark in input,
but what is it good for? Its too late to change routing result.
As this sits in input hook, route lookup done by stack (not by fib
expr) already picked nft_in as the 'right' interface for this daddr.
