From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default
Date: Fri, 19 Sep 2014 12:13:12 +0200 [thread overview]
Message-ID: <20140919101312.GA2054@breakpoint.cc> (raw)
In-Reply-To: <20140918183956.GA3989@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> We can keep those sysctls there in bridge.ko and deprecated them in
> favour of br_netlink. I think we can add some IFLA_BRPORT_NF for the
> setlink command to replace the existing global proc nf-call-thing.
> We'll have to enhance the 'bridge' tool in iproute2 to support this.
Not sure this is needed. Patrick added support for a per-bridge
sysfs flag a while back.
> > Then, in two years or so, we would remove the autoload hook
> > in the packet procesing path.
>
> Agreed. By that time, we can kill the bridge.ko <-> br_netfilter.ko
> dependency and the /proc call-nf-bridge stuff in favour of br_netlink.
>
> Let me know if you still have any concern. Thanks.
Yes, well... I am afraid Patrick is right, we cannot remove it without
breaking some setups.
So, what to do?
I think the first step would be to go ahead and split the hook glue to
a separate module, and then add the autoprobing from the packet processing
path (only loading br_nf module when needed).
We could still add a deprecation warning later on (aka 'please modprobe
br_nf_core' instead). But yes, Patricks probably right, waiting two
years doesn't make it more 'safe' than waiting 6 months...
What _might_ help is if there was an easy (and fast) way to tell wheter
iptables rules are loaded (right now it checks for active netfilter hooks).
Then, we could restrict the autoload to arp/ip(6)tables and not load
the br_nf glue module when nft is used instead.
That will allow removing autload with iptables removal. Yes, I know
this is in a very distant future...
next prev parent reply other threads:[~2014-09-19 10:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-17 15:52 [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default Florian Westphal
2014-09-17 15:52 ` [PATCH 2/2 nf-next] net: bridge: deprecate call_iptables=1 default value Florian Westphal
2014-09-18 13:35 ` [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter call_iptables hooks by default Pablo Neira Ayuso
2014-09-18 14:31 ` Florian Westphal
2014-09-18 18:39 ` Pablo Neira Ayuso
2014-09-19 10:13 ` Florian Westphal [this message]
2014-09-18 19:52 ` Patrick McHardy
2014-09-18 19:31 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140919101312.GA2054@breakpoint.cc \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).