From: Patrick McHardy <kaber@trash.net>
To: Bart De Schuymer <bdschuym@pandora.be>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
Stephen Hemminger <shemminger@linux-foundation.org>
Subject: Re: [PATCH/RFC 3/5] bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets
Date: Thu, 08 Apr 2010 14:31:39 +0200 [thread overview]
Message-ID: <4BBDCCAB.8050704@trash.net> (raw)
In-Reply-To: <4BB207A8.6000608@pandora.be>
Bart De Schuymer wrote:
> bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets
>
> - Add some code in br_device.c::br_dev_xmit() which enables the
> removal of br_netfilter.c::br_nf_local_out(). The function
> br_nf_local_out() was needed because the PF_BRIDGE::LOCAL_OUT hook
> could be called when IP DNAT happens on to-be-bridged traffic. The
> new scheme eliminates this mess.
> - Speed up IP DNAT. To obtain the correct destination MAC address,
> neigh_hh_output() or dst->neighbour->output() is called. In both
> cases this results in the queueing of the packet. However, if dst->hh
> is available, we already know the MAC address so we can just copy it
> instead, removing the need for neigh_hh_output(). This MAC address is
> copied in the new function neigh_hh_bridge().
> - fix IP DNAT on vlan- or pppoe-encapsulated traffic: The functions
> neigh_hh_output() or dst->neighbour->output() overwrite the complete
> Ethernet header, although we only need the destination MAC address.
> For encapsulated packets, they ended up overwriting the encapsulating
> header. The new code copies the Ethernet source MAC address and
> protocol number before calling dst->neighbour->output(). The Ethernet
> source MAC and protocol number are copied back in place in
> br_nf_pre_routing_finish_bridge_slow(). This also makes the IP DNAT
> more transparent because in the old scheme the source MAC of the
> bridge was copied into the source address in the Ethernet header. We
> also let skb->protocol equal ETH_P_IP resp. ETH_P_IPV6 during the
> execution of the PF_INET resp. PF_INET6 hooks.
Besides patch 5 these all look fine to me. Regarding this one,
the individual changes don't seem to strictly depend on each
other. Would it be possible to split this up further to make
review (and potentially bisections) easier?
next prev parent reply other threads:[~2010-04-08 12:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-30 14:16 [PATCH/RFC 3/5] bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets Bart De Schuymer
2010-04-08 12:31 ` Patrick McHardy [this message]
2010-04-08 13:27 ` Bart De Schuymer
2010-04-08 13:28 ` Patrick McHardy
2010-04-13 9:44 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BBDCCAB.8050704@trash.net \
--to=kaber@trash.net \
--cc=bdschuym@pandora.be \
--cc=netfilter-devel@vger.kernel.org \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).