On 02/08/17 09:05, Pablo Neira Ayuso wrote:
# nft add table netdev x
# nft add chain netdev x y { type filter hook ingress device eth0 priority 0\; }
Device specific chains for ingress is cool.
Device specific chains for prerouting and postrouting simplify the heck
out of NAT for complex systems since I've got boxes with eight NICs
(okay, it's two four-port NICs) in various bridges and only one
interface that does NAT. So that's a lot of null (all tests fail)
traversals of those chains for no purpose on those other NICs.
I trim that down by using a single rule such as
"iif ext0 jump DNAT_ext0"
to keep all the tests out of the pat for the internal bridges then put
all the elaborate stuff in that secondary chain. So it's not a killer.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
