Re: [PATCH] netfilter: Fix br_nf_pre_routing() in conjunction with bridge-nf-call-ip(6)tables=0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Op 3/01/2012 21:29, Richard Weinberger schreef:
Am 03.01.2012 21:15, schrieb Bart De Schuymer:
The documentation is probably not explicit enough, but I would keep the
behavior as it is now. Setting bridge-nf-call-iptables to 0 makes
iptables behave as if bridge-netfilter was not enabled at compilation.
Anyway, your patch is almost certainly flawed since the fact that
skb->nf_bridge can be NULL is used as part of the logic in
br_netfilter.c: it indicates that bridge-nf-call-iptables was 0 when the
packet was first processed by bridge-netfilter and should therefore not
be given to iptables in any other netfilter hook.
Thanks for the explanation!

Wouldn't it make sense to check for bridge-nf-call-iptables in xt_physdev?
So that the user gets warned that his iptables rule will never match...

We don't want to introduce module dependencies between the bridge module and the iptables physdev match. We could add a message to the syslog whenever these proc settings are changed (in br_netfilter.c::brnf_sysctl_call_tables()).


Bart De Schuymer

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Kernel Discussion]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux Bluetooth Networking]     [Linux Networking Users]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Photo]     [Singles Social Networking]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux Security]     [Linux IDE]     [Linux RAID]     [Linux SCSI]     [Free Dating]

Add to Google Powered by Linux