From: Patrick McHardy <kaber@trash.net>
To: Bart De Schuymer <bdschuym@pandora.be>
Cc: Bart De Schuymer <bdschuym@telenet.be>,
Herbert Xu <herbert@gondor.apana.org.au>,
netfilter-devel@manty.net, netfilter-devel@lists.netfilter.org,
linux-kernel@vger.kernel.org,
ebtables-devel@lists.sourceforge.net, rankincj@yahoo.com
Subject: Re: 2.6.12: connection tracking broken?
Date: Tue, 21 Jun 2005 17:16:05 +0200 [thread overview]
Message-ID: <42B82F35.3040909@trash.net> (raw)
In-Reply-To: <1119338382.3390.24.camel@localhost.localdomain>
[-- Attachment #1: Type: text/plain, Size: 999 bytes --]
Bart De Schuymer wrote:
> Deferring the hooks makes the bridge-nf code alot more complicated, so I
> would be glad to get rid of it if it is the right thing to do. But
> backwards compatibility can't be maintained and I'd be surprised if
> every ruleset that now works will still be possible using an
> iptables/ebtables scheme.
I unfortunately don't see a way to remove it, but we should keep
thinking about it. Can you please check if the attached patch is
correct? It should exclude all packets handled by bridge-netfilter
from having their conntrack reference dropped. I didn't add nf_reset()'s
to the bridging code because with tc actions the packets can end up
anywhere else anyway, and this will hopefully get fixed right sometime.
BTW. this line from ip_sabotage_out() looks wrong, it will clear all
flags instead of setting the BRNF_DONT_TAKE_PARENT flag (second
patch):
nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
Signed-off-by: Patrick McHardy <kaber@trash.net>
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 448 bytes --]
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -188,7 +188,12 @@ static inline int ip_finish_output2(stru
skb = skb2;
}
- nf_reset(skb);
+#ifdef CONFIG_BRIDGE_NETFILTER
+ /* bridge-netfilter defers calling some IP hooks to the bridge layer and
+ * still needs the conntrack reference */
+ if (skb->nf_bridge == NULL)
+#endif
+ nf_reset(skb);
if (hh) {
int hh_alen;
[-- Attachment #3: 10.diff --]
[-- Type: text/x-patch, Size: 573 bytes --]
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -882,7 +882,7 @@ static unsigned int ip_sabotage_out(unsi
* doesn't use the bridge parent of the indev by using
* the BRNF_DONT_TAKE_PARENT mask. */
if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
- nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
+ nf_bridge->mask |= BRNF_DONT_TAKE_PARENT;
nf_bridge->physindev = (struct net_device *)in;
}
#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
next prev parent reply other threads:[~2005-06-21 15:18 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-18 12:43 2.6.12: connection tracking broken? Chris Rankin
2005-06-18 14:57 ` Jan Engelhardt
2005-06-18 15:14 ` Tobias DiPasquale
2005-06-18 17:16 ` Chris Rankin
2005-06-20 7:19 ` Harald Welte
2005-06-18 19:25 ` Santiago Garcia Mantinan
2005-06-18 22:12 ` Santiago Garcia Mantinan
2005-06-19 13:05 ` Patrick McHardy
2005-06-20 0:05 ` Herbert Xu
2005-06-20 0:18 ` David S. Miller
2005-06-20 0:50 ` Herbert Xu
2005-06-20 2:45 ` Patrick McHardy
2005-06-20 6:39 ` Bart De Schuymer
2005-06-20 12:15 ` Patrick McHardy
2005-06-20 18:46 ` Bart De Schuymer
2005-06-20 18:57 ` Phil Oester
2005-06-20 23:27 ` Patrick McHardy
2005-06-20 23:22 ` Patrick McHardy
2005-06-21 7:19 ` Bart De Schuymer
2005-06-21 15:16 ` Patrick McHardy [this message]
2005-06-21 20:46 ` Bart De Schuymer
2005-06-21 21:23 ` Chris Wright
2005-06-21 22:32 ` David S. Miller
2005-06-21 22:34 ` Chris Wright
2005-06-22 0:26 ` Patrick McHardy
2005-06-22 22:58 ` Chris Rankin
2005-06-23 17:42 ` Patrick McHardy
2005-06-23 19:49 ` David S. Miller
2005-06-24 8:39 ` Patrick McHardy
2005-06-28 23:07 ` David S. Miller
2005-06-22 0:45 ` Patrick McHardy
2005-06-22 21:49 ` Herbert Xu
2005-06-23 0:02 ` Carl-Daniel Hailfinger
2005-06-23 3:31 ` Patrick McHardy
2005-06-23 6:27 ` [Ebtables-devel] " Bart De Schuymer
2005-06-23 3:26 ` Patrick McHardy
2005-06-23 3:53 ` Herbert Xu
2005-06-23 6:23 ` Bart De Schuymer
2005-06-27 8:32 ` Harald Welte
2005-06-27 11:46 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42B82F35.3040909@trash.net \
--to=kaber@trash.net \
--cc=bdschuym@pandora.be \
--cc=bdschuym@telenet.be \
--cc=ebtables-devel@lists.sourceforge.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter-devel@manty.net \
--cc=rankincj@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox