From: "Lennert Buytenhek" <[EMAIL PROTECTED]> Sent: Thursday, April 11, 2002 4:00 PM
> Actually, routed packets _should_ go through br_nf_local_out. > I was talking shit here, and I see why your patch is needed now. > I see I missed the okfn-check-in-ipv4-sabotage-out hunk from > your patch, so I just put yours on the bridge-nf patchtracker > page. It will be in 0.0.7. > > Sorry for the big delay :~( All's well that ends well :) > > You just make me realize that my patch makes the layer 2 flow > > (seen from ebtables' standpoint) for ip DNATed 'bridged' packets > > unnatural. So we need a compromise that handles both, right? > > You mean the cross-bridge DNAT case, or the other case? Packets getting the skb->dst->output(skb) treatment in br_nf_pre_routing_finish are bridged packets that go through the BR_NF_LOCAL_OUT hook. These packets should be seen by ebtables as bridged, so they should go through the ebtables PREROUTING->FORWARD->POSTROUTING chains. With my patch they will go through the ebtables chains like this: PREROUTING->OUTPUT->POSTROUTING, not good. Without my patch they will go through the ebtables chains like this: PREROUTING->POSTROUTING because the FORWARD chain of ebtables has priority -200 < 0 (see another recent mail and the next mail I'll reply to :) ). cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
