Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752650AbbBWPYf (ORCPT ); Mon, 23 Feb 2015 10:24:35 -0500 Received: from mail-wi0-f178.google.com ([209.85.212.178]:54807 "EHLO mail-wi0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751624AbbBWPYd (ORCPT ); Mon, 23 Feb 2015 10:24:33 -0500 Message-ID: <54EB4626.4050703@gmail.com> Date: Mon, 23 Feb 2015 16:24:22 +0100 From: Imre Palik User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Florian Westphal CC: David Miller , bridge@lists.linux-foundation.org, stephen@networkplumber.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, imrep@amazon.de, aliguori@amazon.com Subject: Re: [PATCH] bridge: make it possible for packets to traverse the bridge withour hitting netfilter References: <1423560744-19011-1-git-send-email-imrep.amz@gmail.com> <20150211.142936.951620487173949333.davem@davemloft.net> <54DE2174.6040001@gmail.com> <20150213163703.GC15141@breakpoint.cc> <54DE3851.7000206@gmail.com> <20150213190330.GD15141@breakpoint.cc> In-Reply-To: <20150213190330.GD15141@breakpoint.cc> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1991 Lines: 42 On 02/13/15 20:03, Florian Westphal wrote: > Imre Palik wrote: >> The trouble is that there are some bridges (with low traffic) where I need netfilter, and some other bridges (carrying lots of traffic), where I don't. Being able to set things up on a per bridge basis is a powerful thing. >> >> I only implemented the global switch because the iptables and arptables support also have one. If this is what bugs people here, I can remove it, and resubmit. > > I see. But I agree with David, accepting such patch would pave way > for all kinds of ugly hacks. > > It seems that technically the best solution would be to allow attaching > filter rules to devices, but alas, netfilter doesn't support that. > > Alternatively, you patch *might* be ok iff you can get rid of the extra > userspace-visible configuration knobs, we already have way too many of > these. The sysctl can be removed. But I need some means to switch it off for a given bridge, so I kept the sysfs interface. If there is a more preferred way to do it, then please let me know. > You'll also have to figure out how to avoid any run-time dependency on > br_netfilter module from the bridge core. > > If you can do this, you might be able to get similar effect as your patch > by replacing > > NF_HOOK with NF_HOOK_COND(..., !(br->flags & NO_NETFILTER)) > > or something like this. This works nicely for the NFPROTO_BRIDGE, NF_BR_PRE_ROUTING case. Thanks for the idea. But for the NFPROTO_BRIDGE, NF_BR_FORWARD case the resulting code would be more ugly, because of the chaining of the entries. > I don't know how invasive this would be, though. I will post the cleaned up version in a sec. It looks way better. I hope it will be enough ... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/