Liping Zhang <[email protected]> wrote: > At 2016-11-24 21:50:14, "Florian Westphal" <[email protected]> wrote: > >Liping Zhang <[email protected]> wrote: > >> In general, we haven't do routing lookup in PREROUTING hook, so it's > >> very likely that fib4/6_is_local will not be met.
[..] > Yes, so I use the words "very likely" :) > [...] > >but in "saddr oif eq 0 drop" case they really should have no oif, the > >address should not be considered routeable. > > Yes, I read the ipt_rpfilter.c's source codes, and I find that there's a test > flag > XT_RPFILTER_ACCEPT_LOCAL, so I guess your initial intention is (just my > guess, maybe I'm wrong): > 0 - no route > 1 - local route > others - routing oif Yes, thats right. "1" should only appear if lookup-up address is configured on this machine. For saddr, I don't think its good idea, because it will pass oif ne 0 accept For ACCEPT_LOCAL i think its easier to combine this with the addrtype check of just add explicit accept rules that make it bypass nft_fib rule. What do you think? I agree that for your prerouting daddr example 0 makes no sense and 1 would indeed be a better option. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
