Re: 2.6.12: connection tracking broken?

From: Bart De Schuymer
Date: Mon Jun 20 2005 - 13:35:21 EST


Op ma, 20-06-2005 te 14:15 +0200, schreef Patrick McHardy:
> Bart De Schuymer wrote:
> > Op ma, 20-06-2005 te 04:45 +0200, schreef Patrick McHardy:
> >
> >> Bart, can you explain why the hooks are defered please?
> >
> > This is done so that iptables knows which bridge port the output device
> > is, using the iptables physdev match.
>
> In which cases is this necessary? AFAICT the output device is determined
> in br_handle_frame_finish() for a normally bridged packet.

When the _routing_ decision sends the packet to br0 (a bridge device),
it is unknown which bridge port(s) the packet will be sent out. This is
only known after the packet enters the bridge code. Therefore, for
iptables to know the bridge port out device, the hooks must be postponed
until in the bridge code.

> > Can't you release the conntrack reference with a function registered on
> > the POSTROUTING hook with a prio higher than nat POSTROUTING (or
> > something like that)?
>
> We would have to hold the reference while the packet is queued at the
> device for the bridge case, which we want to avoid.

Trust me, people will complain if they can no longer use the physdev
match for routed packets.
People using a bridging firewall will just have to live with the fact
that the reference is held until in the bridge code.

cheers,
Bart


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/