[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Mar 20 10:49:48 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #2 from dinhtrason at gmail.com ---
> I have seen rulesets which rely in meta mark to achieve this, thus, you use
> the 'update' statement to add mappings using any key : meta mark. Then, use
> the meta mark for the verdict map lookup to know what chain to visit in the
> ruleset.
Thanks for the suggestion.
There is a restriction on using meta mark for this purpose because the packet
mark has been used for an existing function (namely for masquerading) in my
project.
It is also hard to have a unique meta mark for each target chain because its
value will be generated by a hash of the target chain's ids (e.g. endpoint's
destIP and destport) and collision is not avoidable with hashing function even
the target chain's ids are different.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240320/d3c0f84d/attachment.html>
More information about the netfilter-buglog
mailing list