On Wed, Dec 26, 2001 at 06:39:13PM +0100, Bart De Schuymer wrote:
> > > - Give bridge netfilter functions priority NF_BR_PRI_LAST (i.e. INT_MAX) > > > > Why is this, I guess because of your ebtables hooks? I'd rather hand out > > priorities properly (i.e. NF_BR_FILTER, NF_BR_IP_PASSTHROUGH in > > netfilter_bridge.h) instead of having more magic numbers in here.. > > Ok, but my main point was that the nf bridge priority of passthrough should > be INT_MAX, no matter what name you give it. Please allow me to disagree. > Any function that attaches to a netfilter hook after the passthrough > function might as well attach before the passthrough function: > - if the function does stuff for ip packets it gets useless if it attaches > after the passthrough function because passthrough steals those packets. *That* is the bug. We should definitely call NF_HOOK_THRESH after the passthrough functions. > > > - Give sabotage functions netfilter priority NF_IP_PRI_FIRST (i.e. > INT_MIN), > > > except for NF_IP_LOCAL_OUT ofcourse > > > > For PRE_ROUTING I agree, for FORWARD not really. There just happens to be > > nothing before PRI_BRIDGE_SABOTAGE, but I'm sure there could be hooks > > interested in the 'original' (i.e. possibly un'flooded') packet. > > Ok, but naming that priority also NF_IP_PRI_BRIDGE_SABOTAGE is misleading. > In essence I believe the priorities for SABOTAGE on NF_IP_LOCAL_OUT and > NF_IP_FORWARD are unrelated. It just happens that that value (-50) works for > both hooks. Well, IPv4 does the same thing with hook priorities. I think it does make sense in a way. > Couldn't we put something like (INT_MIN + 10)? > Suppose someone has an ip netfilter function and decides to put it at > priority value -60 (not knowing about passthrough). (This is why we need 'proper' priority registration :) cheers, Lennert _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
