[Bug 1125] Setting bit mark according to result of lookup

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Mar 29 23:51:14 CEST 2017


https://bugzilla.netfilter.org/show_bug.cgi?id=1125

--- Comment #2 from Maciej Piechotka <uzytkownik2 at gmail.com> ---
(In reply to Robert White from comment #1)
> Put the value from the map into the mark first.
> 
> e.g. start the mark construction with
> 
> add rule wherever wherever meta mark set iif map @iface_to_mark
> 
> Then compose in your other stuff...
> 

This wouldn't work as the idea is that the packet gets a bitmask of interfaces
as it goes through the bridge filter. So if we have eth0 and eth1 both under
br0 and eth0 -> b001, eth1 -> b010, br0 -> b100 then packets from eth0 would
have b101 and from eth1 b110.

> Also the group numbers "exist" before any interfaces are even configured
> because, hey, integers exist. So by moving interfaces in and out of groups
> you can radically change their behaviors without having to load/update any
> rules or sets/maps/dictionaries
> 
> More complicated arrangements may need more groups.
> 

OTOH names are more user-readable and I don't have very high performance
requirements[1].

[1] That said in the current version there is chicken-and-egg problem between
nft and interfaces. Ideally you would want the firewall up and running before
setting the network. But to use high performance features such as iff you need
to set up it after the network as you need to create interfaces and some
interfaces might require network itself (tunnels etc.). I guess the simplest
thing would be to (re-)JIT on network creation/destruction/rename i/offname so
that the i/off is substituted for interface and compiles out for non-existing
interface.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170329/2a7a82d0/attachment.html>


More information about the netfilter-buglog mailing list