[Bug 1220] Reverse path filtering using "fib" needs better documentation
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Feb 7 17:23:07 CET 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1220
Felix Dreissig <f30 at f30.me> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |f30 at f30.me
--- Comment #2 from Felix Dreissig <f30 at f30.me> ---
(In reply to Florian Westphal from comment #1)
> When 'saddr . iif' is used, the kernel is supposed to also
> check that oif == iif; i.e. it return iif (oif and iif are the same and
> thereforce reply would leave via iif/oif), or 0 (no route or route via
> different interface).
>
> Does that make sense to you?
Kind of – it is the behavior I already assumed and it enables my use case, but
I wouldn't call it intuitive.
Does this additional check only apply for `saddr . iif`, or also for other keys
like `saddr` alone?
> I'll try to add something to nft man page to cover this.
That sounds good.
Adding a note to the wiki page [1] would be nice as well. I'd also do that
myself, but it seems like new accounts cannot be created.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Routing_information
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180207/3b1784a3/attachment.html>
More information about the netfilter-buglog
mailing list