From: Florian Westphal <fw@strlen.de>
To: Gregory Vander Schueren <gregory.vanderschueren@tessares.net>
Cc: netfilter-devel@vger.kernel.org, gregory.detal@tessares.net,
Matthieu Baerts <matthieu.baerts@tessares.net>,
netdev@vger.kernel.org
Subject: Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2
Date: Fri, 16 Feb 2018 12:07:06 +0100 [thread overview]
Message-ID: <20180216110706.GM2810@breakpoint.cc> (raw)
In-Reply-To: <1518715545-2188-1-git-send-email-gregory.vanderschueren@tessares.net>
Gregory Vander Schueren <gregory.vanderschueren@tessares.net> wrote:
[ cc netdev ]
> If sysctl bridge-nf-call-iptables is enabled, iptables chains are already
> traversed from the bridging code. In such case, tproxy already happened when
> reaching ip_rcv. Thus no need to call skb_orphan as this would actually undo
> tproxy.
I don't like this because it adds yet another test in fastpath, and for
a use case that has apparently never worked before.
> We noticed issues when using tproxy with net.bridge.bridge-nf-call-iptables
> enabled. In such case, ip_rcv() basically undo tproxy's job. The following
> patch proposes a fix.
I question wheter its a good idea to mix tproxy with bridges.
Tproxy relies on policy routing, but a bridge doesn't route :-)
I guess you use bridge snat mac mangling to force local delivery of
packets that are otherwise bridged?
If yes, can you use ebtables brouting instead?
This would bypass the bridge (so no iptables invocation from bridge
prerouting anymore).
We will try to get rid of nf-call-iptables eventually.
There might be (more complicated) ways to avoid this problem without
adding code in normal network path, but lets check other options first.
next parent reply other threads:[~2018-02-16 11:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1518715545-2188-1-git-send-email-gregory.vanderschueren@tessares.net>
2018-02-16 11:07 ` Florian Westphal [this message]
2018-02-16 11:28 ` [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2 Pablo Neira Ayuso
2018-02-16 15:44 ` Gregory Vander Schueren
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180216110706.GM2810@breakpoint.cc \
--to=fw@strlen.de \
--cc=gregory.detal@tessares.net \
--cc=gregory.vanderschueren@tessares.net \
--cc=matthieu.baerts@tessares.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox