Re: Constraints on nft expressions and statements in inet ingress chains

Frank Myhr <fmyhr@xxxxxxxxxxx> · Mon, 8 Feb 2021 13:01:55 -0500

On 2021/02/08 11:32, Florian Westphal wrote:
- reject statement
Should work in recent kernels.
>
... >> - packet mark
Will be present for loopback and it can be set/assigned.
>
> ...
conntrack info may be present for loopback case.

> ...
access to l4 header will not work for subsequent fragments.

Thanks, Florian! The above is very good to know while working on my 
rulesets.

Best regards,
Frank