From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default
Date: Thu, 18 Sep 2014 20:39:56 +0200 [thread overview]
Message-ID: <20140918183956.GA3989@salvia> (raw)
In-Reply-To: <20140918143108.GB8484@breakpoint.cc>
On Thu, Sep 18, 2014 at 04:31:08PM +0200, Florian Westphal wrote:
> > I also guess most distributors will use CONFIG_BRIDGE_NETFILTER=m.
> > Then, users will get a warning message to let them know that they will
> > have to modprobe br_netfilter in the future if they need it, so we can
> > remove the deferred request_module from the br init path.
>
> Hmm, not sure if its safe to do this, e.g. with bridge=y,
> br_netfilter=m, module might not yet be present in such cases?
>
> Also, what about this:
> iptables-restore < rules.txt
> modprobe bridge
> brctl addbr ...
> brctl addif ...
>
> at this point, any packet forwarded by bridge is filtered
> via iptables.
>
> After your patch, this might no longer be the case, if the modprobe
> call is delayed (maybe this is far-fetched and not an issue in practice)?
Agreed, I think we can use your static key approach to drop traffic
from br_handle_frame after the work has called request_module.
> 2nd hypothetical issue:
> modprobe bridge
> sysctl net.bridge.bridge-nf-call-iptables=0
>
> The sysctl could fail when br_nf_core is not yet present.
Indeed.
We can keep those sysctls there in bridge.ko and deprecated them in
favour of br_netlink. I think we can add some IFLA_BRPORT_NF for the
setlink command to replace the existing global proc nf-call-thing.
We'll have to enhance the 'bridge' tool in iproute2 to support this.
I can see this is packaged in testing already by debian at least.
> Then, in two years or so, we would remove the autoload hook
> in the packet procesing path.
Agreed. By that time, we can kill the bridge.ko <-> br_netfilter.ko
dependency and the /proc call-nf-bridge stuff in favour of br_netlink.
Let me know if you still have any concern. Thanks.
next prev parent reply other threads:[~2014-09-18 18:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-17 15:52 [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default Florian Westphal
2014-09-17 15:52 ` [PATCH 2/2 nf-next] net: bridge: deprecate call_iptables=1 default value Florian Westphal
2014-09-18 13:35 ` [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default Pablo Neira Ayuso
2014-09-18 14:31 ` Florian Westphal
2014-09-18 18:39 ` Pablo Neira Ayuso [this message]
2014-09-19 10:13 ` Florian Westphal
2014-09-18 19:52 ` Patrick McHardy
2014-09-18 19:31 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140918183956.GA3989@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.