[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bridge
Subject:    Re: [Bridge] locally generated  packets lost after output chain
From:       "Bart De Schuymer" <bart.de.schuymer () pandora ! be>
Date:       2002-04-11 18:33:18
[Download RAW message or body]

From: "Lennert Buytenhek" <buytenh@gnu.org>
Sent: Thursday, April 11, 2002 4:00 PM


> Actually, routed packets _should_ go through br_nf_local_out.
> I was talking shit here, and I see why your patch is needed now.
> I see I missed the okfn-check-in-ipv4-sabotage-out hunk from
> your patch, so I just put yours on the bridge-nf patchtracker
> page.  It will be in 0.0.7.
>
> Sorry for the big delay :~(

All's well that ends well :)

> > You just make me realize that my patch makes the layer 2 flow
> > (seen from ebtables' standpoint) for ip DNATed 'bridged' packets
> > unnatural. So we need a compromise that handles both, right?
>
> You mean the cross-bridge DNAT case, or the other case?

Packets getting the skb->dst->output(skb) treatment in
br_nf_pre_routing_finish are bridged packets that go through the
BR_NF_LOCAL_OUT hook. These packets should be seen by ebtables as bridged,
so
they should go through the ebtables PREROUTING->FORWARD->POSTROUTING chains.
With my patch they will go through the ebtables chains like this:
PREROUTING->OUTPUT->POSTROUTING, not good.
Without my patch they will go through the ebtables chains like this:
PREROUTING->POSTROUTING
because the FORWARD chain of ebtables has priority -200 < 0 (see another
recent mail and the next mail I'll reply to :) ).

cheers,
Bart



[prev in list] [next in list] [prev in thread] [next in thread]