bpfilter icon indicating copy to clipboard operation
bpfilter copied to clipboard

Published 20 hours ago verified publisher icon facebook

Create a `CONTINUE` verdict

Open qdeslandes opened this issue 5 months ago • 0 comments

With the existing verdicts, it's not possible to forward a packet to the next rule: it is either accepted or dropped. In both cases, the chain won't process the remaining rules.

A CONTINUE verdict would allow packets to continue going through the filtering rules. Currently, the main interest of such a target would be to count the packets matching specific criteria. For example, this is not currently possible

# Counter the number of IPv6 packets and TCP packets going through the hook
rule
    meta.l3_proto ip6
    counter
    ACCEPT
rule
    meta.l4_proto tcp
    counter
    ACCEPT

IPv6 TCP packets would be counted towards rule #1 counter, as every IPv6 packet would be matched by rule #1 and accepted, stopping the processing. However, with a CONTINUE verdict:

# Counter the number of IPv6 packets and TCP packets going through the hook
rule
    meta.l3_proto ip6
    counter
    CONTINUE
rule
    meta.l4_proto tcp
    counter
    CONTINUE

IPv6 TCP packet would be processed by rule #1 and counted, then processing would continue with rule #2 and they would be counted again.

qdeslandes avatar Sep 02 '24 14:09 qdeslandes