From: Patrick McHardy <kaber@trash.net>
To: Mark McLoughlin <markmc@redhat.com>
Cc: netdev <netdev@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable
Date: Wed, 01 Jul 2009 10:56:15 +0200 [thread overview]
Message-ID: <4A4B24AF.50604@trash.net> (raw)
In-Reply-To: <1246379267.3749.42.camel@blaa>
Mark McLoughlin wrote:
> With BRIDGE_NETFILTER enabled, bridge traffic is passed through
> netfilter as it is forwarded across the bridge. This is a useful
> feature in specialized cases where the admin wishes to filter bridge
> traffic based on higher-level protocol headers.
>
> However, in a lot of cases, it causes a large amount of confusion
> since it is so counter-intuitive - nobody expects their IP firewall
> rules to also apply to traffic on their bridges.
>
> This is especially true for virtualization, where users create a
> bridge and find that some types of traffic work and others don't, and
> it can take quite some time to identify iptables as the culprit. Users
> are often recommended to configure their iptables rules to ACCEPT
> "physdev-is-bridged" in order to avoid this confusion.
>
> However, because nf_conntrack introduces an skb_orphan(), it is now
> recommended that bridge-nf-call-iptables be disabled completely so as
> to ensure features like TUNSETSNDBUF work as expected.
>
> For these reasons, it makes sense to allow distributions to disable
> netfilter on the bridge by default and require those specialized users
> to enable it explicitly via sysctl.
I agree that this makes sense, at least temporarily. Mid-term
we should really fix the defaults, so it would be good to have a
feature-removal-schedule and maybe a runtime warning stating that
these defaults will change.
prev parent reply other threads:[~2009-07-01 8:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1246379267.3749.42.camel@blaa>
2009-06-30 17:00 ` [PATCH] bridge: make bridge-nf-call-*tables default configurable Herbert Xu
2009-06-30 19:06 ` David Miller
2009-06-30 20:16 ` Jan Engelhardt
2009-06-30 20:57 ` Mark Smith
2009-06-30 21:30 ` Jan Engelhardt
2009-07-01 1:48 ` Herbert Xu
2009-07-01 1:15 ` Herbert Xu
2009-07-01 3:50 ` Jan Engelhardt
2009-07-01 4:10 ` Herbert Xu
2009-07-01 4:14 ` Ben Greear
2009-07-01 9:01 ` Patrick McHardy
2009-07-01 8:57 ` Patrick McHardy
2009-07-01 9:07 ` Herbert Xu
2009-07-01 9:21 ` Patrick McHardy
2009-07-01 16:33 ` Herbert Xu
2009-07-01 17:01 ` Patrick McHardy
2009-07-01 3:16 ` David Miller
2009-07-01 10:45 ` Mark McLoughlin
2009-07-01 10:51 ` Patrick McHardy
2009-07-01 16:02 ` David Miller
2009-07-01 16:05 ` Patrick McHardy
2009-07-01 16:08 ` David Miller
2009-07-01 21:18 ` Mark Smith
2009-07-01 16:02 ` David Miller
2009-07-01 16:26 ` Herbert Xu
2009-07-01 8:56 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A4B24AF.50604@trash.net \
--to=kaber@trash.net \
--cc=herbert@gondor.apana.org.au \
--cc=markmc@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.