From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965317AbbLRUhX (ORCPT ); Fri, 18 Dec 2015 15:37:23 -0500 Received: from mail.us.es ([193.147.175.20]:58820 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933153AbbLRUhV (ORCPT ); Fri, 18 Dec 2015 15:37:21 -0500 Date: Fri, 18 Dec 2015 21:37:17 +0100 From: Pablo Neira Ayuso To: Florian Westphal Cc: Arnd Bergmann , davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Tom Herbert , netfilter-devel@vger.kernel.org Subject: Re: [PATCH] ila: add NETFILTER dependency Message-ID: <20151218203717.GA14846@salvia> References: <2011239.T7zzuZGeyk@wuerfel> <20151218172606.GB1299@salvia> <20151218180931.GC29573@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151218180931.GC29573@breakpoint.cc> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 18, 2015 at 07:09:31PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > I'm afraid this extra Kconfig dependency that Arnd adds to fix this is > > a symptom that there is something that doesn't belong there. > > > > I overlook this new hook on priority -1, how does this integrate into > > our infrastructure? > > Looks problematic since address changes post ipv6 dnat translations, > its certainly unexpected for nft since we have magic address mangling > after -2 and 0 priroized tables... David indicated that this should be sort of transparent and integrated into separated infrastructure. The existing hook will break IPv6 conntrack and NAT for us, and the extra hook is suboptimal as it I'd suggest you add a static key and specific hook before netfilter to deal with this.