[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Mar 20 10:56:54 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to dinhtrason from comment #2)
> > I have seen rulesets which rely in meta mark to achieve this, thus, you use
> > the 'update' statement to add mappings using any key : meta mark. Then, use
> > the meta mark for the verdict map lookup to know what chain to visit in the
> > ruleset.
>
> Thanks for the suggestion.
>
> There is a restriction on using meta mark for this purpose because the
> packet mark has been used for an existing function (namely for masquerading)
> in my project.
Are you fully using the 32 bits in the mark _only_ for masquerading?
If you use conntrack, then can you use connlabel?
> It is also hard to have a unique meta mark for each target chain because its
> value will be generated by a hash of the target chain's ids (e.g. endpoint's
> destIP and destport) and collision is not avoidable with hashing function
> even the target chain's ids are different.
I don't have access to your ruleset, I would need a sketch ruleset of you to
understand better what you are trying to do and make better suggestions.
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240320/4a778b5d/attachment.html>
More information about the netfilter-buglog
mailing list