Re: [PATCH] support --physdev-out for routed packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Philip Craig <philipc@snapgear.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] support --physdev-out for routed packets
Date: Thu, 12 Jul 2007 14:45:18 +0200	[thread overview]
Message-ID: <4696225E.3000606@trash.net> (raw)
In-Reply-To: <4695CCF8.1010202@snapgear.com>

Philip Craig wrote:
> My most common use of bridging is a transparent firewall between
> the LAN and the WAN.  This requires the ability to filter based on
> the outgoing port, which the current physdev match supports.
> 
...
> 
> So here is an ugly, inefficient, flawed, and barely tested patch
> which lets me do this.  I have no expectation of this being suitable
> for mainline kernels, but maybe someone else is interested in it or
> wants to comment on the approach.
> 
> The patch digs into the bridge internals too much, causes an extra
> bridge fdb lookup, ignores some const attributes, and probably has
> broken locking.  And if there are no ARP or bridge fdb entries, then
> it doesn't match any ports.


Its probably also racy wrt. fdb changes. The thing I still don't get
is .. if you combine a bunch of devices in a bridge, why would you
care which port a packet will leave through? If you already know
behind which port something is reachable, why use a bridge? And if
you don't know I suppose you have nothing to filter by.

next prev parent reply	other threads:[~2007-07-12 12:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-12  6:40 [PATCH] support --physdev-out for routed packets Philip Craig
2007-07-12 12:45 ` Patrick McHardy [this message]
2007-07-13  0:58   ` Philip Craig
2007-07-13  3:14     ` Philip Craig
2007-07-13 13:12     ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2007-08-04  4:13 Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4696225E.3000606@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=philipc@snapgear.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.