All of lore.kernel.org
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: Amin Azez <azez@ufomechanic.net>
Cc: Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>,
	Bart De Schuymer <bdschuym@pandora.be>,
	Tom Eastep <teastep@shorewall.net>
Subject: Re: RFC: Disable defered bridge hooks by default
Date: Wed, 19 Jul 2006 19:15:13 +0200	[thread overview]
Message-ID: <44BE68A1.4070609@trash.net> (raw)
In-Reply-To: <44BE624E.5080307@ufomechanic.net>

Amin Azez wrote:
> * Patrick McHardy wrote, On 19/07/06 17:36:
> 
>>The routing code shouldn't know anything about the bridge FDB.
>>  
> 
> True, I only suggest that the bridge work out what it is going to do
> with the packet just after routing (if any) but before post-routing. I
> can't think of much else that will happen to the packets between
> postrouting and bridge output that would spoil this.
> 
> I wasn't suggesting that bridging and routing modules should peer over
> eachothers shoulders, but rather than defer the hooks we bring forward
> the bridge decision.


But at that point again you can't even be sure if the packet will
finally exit a bridge device. TC action could direct the packet
to a different device from the bridge output queue. There is no
clean solution for this which integrates well with all the other
things Linux networking can do.

>>>I think if ebtables becomes the answer it will just grow to be as big as
>>>iptables with all the extra matches iptables has, just as iptables has
>>>extra -p tcp and -p udp matches.
>>>    
>>
>>Thats where MARK will be useful, but only if the target is available
>>in ebtables. SNAT based on bridge port won't be possible anymore.
>>  
> 
> Yes but the ebtables could get as big as turing machine as the possible
> ebtables actions end up getting encoded into the mark; with such side
> deferred effects as:
> * set dscp to various values
> * set mark (for tc)
> * drop
> 
> all multipled by the number of output ports, so that these actions can
> be taken based on the output port.


Worst case will need some space, but common sense tells me that this is
not what users are doing (DSCP based on bridge output port combined with
criteria only usable within iptables? What for?). Marking for tc can
be done within iptables, and ebtables just needs to encode the output
port in the mark if you really need it (why would you? you have a
seperate device, the bridge port, to do QoS on).

Anyway, I'll submit the patch soon, which gives us at least 6 more month
to work this out.

  parent reply	other threads:[~2006-07-19 17:15 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-04  9:26 RFC: Disable defered bridge hooks by default Patrick McHardy
2006-07-04  9:27 ` Patrick McHardy
2006-07-08  0:36   ` Tom Eastep
2006-07-08  3:01     ` Patrick McHardy
2006-07-10  9:56       ` Amin Azez
2006-07-11  8:28         ` Patrick McHardy
2006-07-11  9:33           ` Amin Azez
2006-07-11 20:34       ` Tom Eastep
2006-07-11 21:29         ` Patrick McHardy
2006-07-12 22:41           ` Tom Eastep
2006-07-13  7:35             ` Patrick McHardy
2006-07-13 14:11               ` Tom Eastep
2006-07-13 14:45                 ` Patrick McHardy
2006-07-13 15:31                   ` Tom Eastep
2006-07-15 14:32                     ` Tom Eastep
2006-07-19 14:21                     ` Patrick McHardy
2006-07-19 15:50                       ` Tom Eastep
2006-07-19 16:02                         ` Patrick McHardy
2006-07-13  9:56             ` Amin Azez
2006-07-12  6:16       ` Philip Craig
2006-07-13  0:20         ` Tom Eastep
2006-07-13  0:42           ` David Miller
2006-07-13  0:45             ` Tom Eastep
2006-07-13  9:45               ` Amin Azez
2006-07-13  7:31           ` Patrick McHardy
2006-07-13  7:46         ` Patrick McHardy
2006-07-13  8:12           ` Philip Craig
2006-07-13  8:36             ` Patrick McHardy
2006-07-13 14:11           ` Amin Azez
2006-07-13 14:50             ` Patrick McHardy
2006-07-13 15:29               ` Amin Azez
2006-07-19 16:36                 ` Patrick McHardy
     [not found]                   ` <44BE624E.5080307@ufomechanic.net>
2006-07-19 17:15                     ` Patrick McHardy [this message]
     [not found] <W8195318669268441152182124@nocme1bl6.telenet-ops.be>
2006-07-06 10:49 ` Patrick McHardy
2006-07-07  3:37 ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2006-07-07 10:17 bdschuym@pandora.be
2006-07-07 10:24 ` Patrick McHardy
2006-07-13 12:56 bdschuym@pandora.be
2006-07-13 14:38 ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44BE68A1.4070609@trash.net \
    --to=kaber@trash.net \
    --cc=azez@ufomechanic.net \
    --cc=bdschuym@pandora.be \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=teastep@shorewall.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.