From: Bart De Schuymer <bdschuym@pandora.be>
To: Patrick McHardy <kaber@trash.net>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
Stephen Hemminger <shemminger@linux-foundation.org>
Subject: Re: [PATCH/RFC 3/5] bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets
Date: Thu, 08 Apr 2010 15:27:44 +0200 [thread overview]
Message-ID: <4BBDD9D0.1010402@pandora.be> (raw)
In-Reply-To: <4BBDCCAB.8050704@trash.net>
Patrick McHardy wrote:
> Bart De Schuymer wrote:
>
>> bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets
>>
>> - Add some code in br_device.c::br_dev_xmit() which enables the
>> removal of br_netfilter.c::br_nf_local_out(). The function
>> br_nf_local_out() was needed because the PF_BRIDGE::LOCAL_OUT hook
>> could be called when IP DNAT happens on to-be-bridged traffic. The
>> new scheme eliminates this mess.
>> - Speed up IP DNAT. To obtain the correct destination MAC address,
>> neigh_hh_output() or dst->neighbour->output() is called. In both
>> cases this results in the queueing of the packet. However, if dst->hh
>> is available, we already know the MAC address so we can just copy it
>> instead, removing the need for neigh_hh_output(). This MAC address is
>> copied in the new function neigh_hh_bridge().
>> - fix IP DNAT on vlan- or pppoe-encapsulated traffic: The functions
>> neigh_hh_output() or dst->neighbour->output() overwrite the complete
>> Ethernet header, although we only need the destination MAC address.
>> For encapsulated packets, they ended up overwriting the encapsulating
>> header. The new code copies the Ethernet source MAC address and
>> protocol number before calling dst->neighbour->output(). The Ethernet
>> source MAC and protocol number are copied back in place in
>> br_nf_pre_routing_finish_bridge_slow(). This also makes the IP DNAT
>> more transparent because in the old scheme the source MAC of the
>> bridge was copied into the source address in the Ethernet header. We
>> also let skb->protocol equal ETH_P_IP resp. ETH_P_IPV6 during the
>> execution of the PF_INET resp. PF_INET6 hooks.
>>
>
> Besides patch 5 these all look fine to me. Regarding this one,
> the individual changes don't seem to strictly depend on each
> other. Would it be possible to split this up further to make
> review (and potentially bisections) easier?
>
That should be possible, I think. I'll have a look at it in the near future.
Bart
--
Bart De Schuymer
www.artinalgorithms.be
next prev parent reply other threads:[~2010-04-08 13:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-30 14:16 [PATCH/RFC 3/5] bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets Bart De Schuymer
2010-04-08 12:31 ` Patrick McHardy
2010-04-08 13:27 ` Bart De Schuymer [this message]
2010-04-08 13:28 ` Patrick McHardy
2010-04-13 9:44 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BBDD9D0.1010402@pandora.be \
--to=bdschuym@pandora.be \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).