On Fri, Sep 25, 2020 at 09:52:00AM +0000, ѽ҉ᶬḳ℠ wrote: > On 23/09/2020 13:43, ѽ҉ᶬḳ℠ wrote: > > Would it be possible to generate a set in 'table inet' based on 'saddr > > ct state invalid drop' and then utilise the same set in a 'table netdev > > rule', for offending saddr getting blocked early? > > > > Tried some variations but none worked out and thus it seems deployment of > sets across families is not supported. Though I reckon it would be a > beneficial feature: > > * mitigate repetition of same sets that are applicable for different > families > * gather set data in one family, e.g offenders' saddr from inet, and deploy > such set in a rule in a different family, e.g. in netdev for blocking such > offenders early on This is feasible. I have an incomplete patchset to enable this, I'll try to scratch some time to finish this.
