----- Original Message ----- From: "Lennert Buytenhek" <[EMAIL PROTECTED]> To: "Bart De Schuymer" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, December 24, 2001 2:44 PM Subject: Re: [Bridge] [PATCH] bridge-nf-0.0.4.bis patch available
> Hi there, Hello, > Could you send patches in smaller bits please? In this case especially since > some parts are obvious and some parts aren't.. Will do. > > - Give bridge netfilter functions priority NF_BR_PRI_LAST (i.e. INT_MAX) > > Why is this, I guess because of your ebtables hooks? I'd rather hand out > priorities properly (i.e. NF_BR_FILTER, NF_BR_IP_PASSTHROUGH in > netfilter_bridge.h) instead of having more magic numbers in here.. Ok, but my main point was that the nf bridge priority of passthrough should be INT_MAX, no matter what name you give it. Any function that attaches to a netfilter hook after the passthrough function might as well attach before the passthrough function: - if the function does stuff for ip packets it gets useless if it attaches after the passthrough function because passthrough steals those packets. - in the other case it doesn't matter whether the function is executed before the passthrough function or not, because passthrough couldn't care less about non-ipv4 packets. Ok, theoretically there could be a function that only wants to look at the ip packets if the passthrough function is not loaded. Then that function needs to have a lower priority (and thus a higher number) than the passthrough function. I just find 0 as priority to be such a low value. Basically you are confining most functions to negative priority values... Maybe (INT_MAX - 1) or so :-) > > - Give sabotage functions netfilter priority NF_IP_PRI_FIRST (i.e. INT_MIN), > > except for NF_IP_LOCAL_OUT ofcourse > > For PRE_ROUTING I agree, for FORWARD not really. There just happens to be > nothing before PRI_BRIDGE_SABOTAGE, but I'm sure there could be hooks > interested in the 'original' (i.e. possibly un'flooded') packet. Ok, but naming that priority also NF_IP_PRI_BRIDGE_SABOTAGE is misleading. In essence I believe the priorities for SABOTAGE on NF_IP_LOCAL_OUT and NF_IP_FORWARD are unrelated. It just happens that that value (-50) works for both hooks. Couldn't we put something like (INT_MIN + 10)? Suppose someone has an ip netfilter function and decides to put it at priority value -60 (not knowing about passthrough). It would be most likely better that the passthrough priority value be lower than this -60. cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
