From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Bernhard Thaler <bernhard.thaler@wvnet.at>,
kadlec@blackhole.kfki.hu, netfilter-devel@vger.kernel.org,
fw@strlen.de, Sven Eckelmann <sven@open-mesh.com>
Subject: Re: [PATCHv2 1/4] bridge: detect NAT66 correctly and change MAC address
Date: Mon, 23 Mar 2015 13:41:58 +0100 [thread overview]
Message-ID: <20150323124158.GA6203@breakpoint.cc> (raw)
In-Reply-To: <20150323120748.GA6300@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Florian Westphal is currently exploring alternative solutions so
> br_netfilter can stop (ab)using the layer 3 infrastructure from the
> bridge code (this layering violation has been causing problems for
> quite some time, eg. some users don't expect a bridge to modify alter
> the fragmented traffic).
>
> Although IPv6 support in br_netfilter is fairly incomplete, let me put
> these patches in a hold until Florian comes back to us with some
> feedback, we'll integrate them in some way or another at some point.
TBH I am not too sure abut this.
IPv4 DNAT doesn't work 100% either, see
http://marc.info/?l=linux-netdev&m=136627779125382&w=2
[ btw, thanks that the crap patch referenced above didn't end up in the kernel ;) ]
So I think we first need to _clearly_ define how DNAT should work on a
bridge, rather than inherit all the weird corner cases that we have
with ipv4.
F.e. I think we wouldn't have all of these issues if we wouldn't care
about the l2 mac address (and would always route in NAT case).
But I'll have to think about this some more.
In any case, I understand that not being able to e.g. REDIRECT is bad,
and perhaps it would be preferable to first fix ipv6 fragment
handling and then make REDIRECT work (and defer handling/supporting arbitrary DNAT
until we think we know how it should work).
One small comment on the patch below.
> > @@ -57,6 +58,7 @@ static inline unsigned int nf_bridge_pad(const struct sk_buff *skb)
> > struct bridge_skb_cb {
> > union {
> > __be32 ipv4;
> > + struct in6_addr ipv6;
> > } daddr;
This is gone, dnat_took_place() should work without further changes if
you call it in the ipv6 prerouting finish hook.
> > +/* This requires some explaining. If DNAT has taken place,
> > + * we will need to fix up the destination Ethernet address.
> > + *
I really think this novel^W comment should not be copied, just add a
reference to the ipv4 one.
prev parent reply other threads:[~2015-03-23 12:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-05 21:12 [PATCH 1/1] bridge: detect NAT66 correctly and change MAC address Bernhard Thaler
2014-12-23 14:03 ` Pablo Neira Ayuso
2014-12-23 14:13 ` Pablo Neira Ayuso
2015-01-09 0:05 ` Bernhard Thaler
2015-03-18 21:52 ` [PATCHv2 1/4] " Bernhard Thaler
2015-03-23 12:07 ` Pablo Neira Ayuso
2015-03-23 12:41 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150323124158.GA6203@breakpoint.cc \
--to=fw@strlen.de \
--cc=bernhard.thaler@wvnet.at \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sven@open-mesh.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).