Hello, netfilter-devel.
Is it possible/planned to be able to do routing table lookup from
within nftables?
Thinking then of a routingtable like "set". This would be nice to be able to do
early drop on bgp populated saddr based rtbl.
--
Bj(/)rnar
--
To unsubscribe from this list: sen
On Tuesday 2016-10-11 20:11, Bjørnar Ness wrote:
>Hello, netfilter-devel.
>
>Is it possible/planned to be able to do routing table lookup from
>within nftables?
>Thinking then of a routingtable like "set". This would be nice to be able to do
>early drop on bgp popul
2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
> Well you can mark routes with realm numbers, and match on that. (In
> iptables, this was done with -m realm.) At least that is the idea. Not
> sure if the skb field that holds the information is already
> filled in before FORWARD (at which point I guess
On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
>> Well you can mark routes with realm numbers, and match on that. (In
>> iptables, this was done with -m realm.) At least that is the idea. Not
>> sure if the skb field that holds the information is alre
2016-10-11 22:18 GMT+02:00 Jan Engelhardt :
>
> On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>>2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
>>> Well you can mark routes with realm numbers, and match on that. (In
>>> iptables, this was done with -m realm.) At least that is the idea. Not
>>> sure
On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
>
> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> available in nftables yet.
>
> Pablo: is the "lookup in routing table from nftables" a total waste of time?
You may be interested in
https://www.youtube.com/watc
2016-10-12 8:19 GMT+02:00 Michal Kubecek :
> On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
>>
>> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
>> available in nftables yet.
>>
>> Pablo: is the "lookup in routing table from nftables" a total waste of time?
>
> You m
Bjørnar Ness wrote:
> 2016-10-12 8:19 GMT+02:00 Michal Kubecek :
> > On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
> >>
> >> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> >> available in nftables yet.
> >>
> >> Pablo: is the "lookup in routing table from nftable
2016-10-14 13:44 GMT+02:00 Florian Westphal :
> Bjørnar Ness wrote:
>>
>> ip saddr rt_table 10 drop
>>
>> comments?
>
> I don't really understand why you would want this.
>
> If you only want to match saddr, why not use ipset (or nftables set) for
> this?
Its hard to populate via routing protocol
