Re: 2.6.12: connection tracking broken?

From: Herbert Xu
Date: Wed Jun 22 2005 - 17:03:33 EST

Next message: David Masover: "Re: reiser4 plugins"
Previous message: Chen, Kenneth W: "Update: Industry db benchmark result"
In reply to: Patrick McHardy: "Re: 2.6.12: connection tracking broken?"
Next in thread: Carl-Daniel Hailfinger: "Re: 2.6.12: connection tracking broken?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 21, 2005 at 05:16:05PM +0200, Patrick McHardy wrote:
> Bart De Schuymer wrote:
> > Deferring the hooks makes the bridge-nf code alot more complicated, so I
> > would be glad to get rid of it if it is the right thing to do. But
> > backwards compatibility can't be maintained and I'd be surprised if
> > every ruleset that now works will still be possible using an
> > iptables/ebtables scheme.
>
> I unfortunately don't see a way to remove it, but we should keep
> thinking about it. Can you please check if the attached patch is
> correct? It should exclude all packets handled by bridge-netfilter
> from having their conntrack reference dropped. I didn't add nf_reset()'s
> to the bridging code because with tc actions the packets can end up
> anywhere else anyway, and this will hopefully get fixed right sometime.

I think this patch will be fine for 2.6.12.*.

Longer term though we should obsolete the ipt_physdev module. The
rationale there is that this creates a precedence that we can't
possibly maintain in a consistent way. For example, we don't have
a target that matches by hardware MAC address. If you wanted to
do that, you'd hook into the arptables interface rather than deferring
iptables after the creation of the hardware header.

This can be done in two stages to minimise pain for people already
using it:

1) We rewrite ipt_physdev to do the lookups necessary to get the output
physical devices through the bridge layer. Of course this may not be
the real output device due to changes in the environment. So this should
be accompanied with a warning that users should switch to ebt.

2) We remove the iptables deferring since ipt_physdev will no longer need
it.

3) After a set period (say a year or so) we remove ipt_physdev altogether.

Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Masover: "Re: reiser4 plugins"
Previous message: Chen, Kenneth W: "Update: Industry db benchmark result"
In reply to: Patrick McHardy: "Re: 2.6.12: connection tracking broken?"
Next in thread: Carl-Daniel Hailfinger: "Re: 2.6.12: connection tracking broken?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]