On Wed, Mar 12, 2025 at 10:38:31PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > + switch (nft_hook(pkt)) {
> > > + case NF_INET_PRE_ROUTING:
> > > + case NF_INET_INGRESS:
> >
> > Not an issue in your patch itself, it seems nft_fib_validate() was
> > never updated to support NF_INET_INGRESS.
>
> Yes, probably better to do that in a different patch.
>
> > > + if (nft_fib_can_skip(pkt)) {
> > > + nft_fib_store_result(dest, priv, nft_in(pkt));
> > > + return;
> > > + }
> >
> > Silly question: Does this optimization work for all cases?
> > NFTA_FIB_F_MARK and NFTA_FIB_F_DADDR.
>
> Its the socket that the skb will be delivered to, so I don't see
> an issue. Theoretically you could set a different mark in input,
> but what is it good for? Its too late to change routing result.
I see, makes no sense to trigger another lookup with the different
mark after the stack already provides a route (no use-case for this).
> As this sits in input hook, route lookup done by stack (not by fib
> expr) already picked nft_in as the 'right' interface for this daddr.
thanks for explaining.
