On 1/10/19 8:21 AM, wenxu wrote:
>
> How about the status of this patch? Should I resubmit it?
>
I do not like the need for a flag when the VRF is created. If something
changes with the firewall rules, it means a user has to delete and
re-create the VRF which is really expensive.
It would be be
On 2018/12/28 下午10:42, David Ahern wrote:
> On 12/27/18 2:38 AM, we...@ucloud.cn wrote:
>> From: wenxu
>>
>> In the ip_rcv the skb go through the PREROUTING hook first,
>> Then jump in vrf device go through the same hook again.
>> When conntrack work with vrf, there will be some conflict for rules
David Ahern wrote:
> On 12/27/18 12:38 AM, we...@ucloud.cn wrote:
> > nft add table firewall
> > nft add chain firewall zones { type filter hook prerouting priority - 300
> > \; }
> > nft add rule firewall zones counter ct zone set iif map { "eth1" : 1,
> > "eth2" : 2 }
> > nft add chain firewa
On 12/27/18 12:38 AM, we...@ucloud.cn wrote:
> nft add table firewall
> nft add chain firewall zones { type filter hook prerouting priority - 300 \;
> }
> nft add rule firewall zones counter ct zone set iif map { "eth1" : 1, "eth2"
> : 2 }
> nft add chain firewall rule-1000-ingress
> nft add rul
On 12/27/18 2:38 AM, we...@ucloud.cn wrote:
> From: wenxu
>
> In the ip_rcv the skb go through the PREROUTING hook first,
> Then jump in vrf device go through the same hook again.
> When conntrack work with vrf, there will be some conflict for rules.
> Because the package go through the hook twic
From: wenxu
In the ip_rcv the skb go through the PREROUTING hook first,
Then jump in vrf device go through the same hook again.
When conntrack work with vrf, there will be some conflict for rules.
Because the package go through the hook twice with different nf status
ip link add user1 type vrf t
