2016-10-14 13:44 GMT+02:00 Florian Westphal <f...@strlen.de>:
> Bjørnar Ness <bjornar.n...@gmail.com> wrote:
>> ip saddr rt_table 10 drop
>> comments?
> I don't really understand why you would want this.
> If you only want to match saddr, why not use ipset (or nftables set) for
> this?

Its hard to populate via routing protocols. RTBH/ Source RTBH is very
convenient, and handles all the details (filtering, timeout etc etc) in routing
daemon (bird in my case). It is ofcorse possible to make a middleware that
listens for updates on a routing table, and propagates them to a set, but
thats what I would want to and could avoid if I was given access to a
"set type" lookup in a spesific table.

> If you want to use the fib, why not use blackhole routes?

Because there is not possible to do saddr based lookups in prerouting,
the only way this is possible is if one enables rp_filter and packet will
the have traveled far inside the kernel already. Also, it is not possible
to send ICMP unreachable for example using rp_filter method

> I'd like to understand why you need this 'rule skip' thing, seems we
> would have to export some fib internals for this which I'd like to
> avoid.

I hope You can see the use of this. And it also probably has other usecases.

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to