On 02/13/15 17:37, Florian Westphal wrote: > Imre Palik <[email protected]> wrote: >> On 02/11/15 23:29, David Miller wrote: >>> If I apply this, someone is going to try to submit a patch for every >>> damn protocol layer to add a stupid hack like this. >> >> Actually this is one of those patches. There is already a "stupid hack like >> this" for iptables and arptables. (Implemented before git history, and >> giving me 10% speedup. Many thanks, whoever did it.) >> >> I also searched various LKML archives, and it seems the existing "stupid >> hacks" for iptables and arptables haven't resulted in any related patch >> submission in the last ten years. (Or my google-fu is weak.) >> >> Moreover, I cannot imagine any other reasonable on/off switch for >> bridge-netfilter than these three. Of course, my imagination might be >> lacking there. > > Why do you load the bridge netfilter module if you don't want it? > Loading it registers the internal hooks for the call-ip(6)tables and > sabotage hooks with NF_BRIDGE protocol so most of the NF_HOOK(NF_BRIDGE, ... > calls become active. >
The trouble is that there are some bridges (with low traffic) where I need netfilter, and some other bridges (carrying lots of traffic), where I don't. Being able to set things up on a per bridge basis is a powerful thing. I only implemented the global switch because the iptables and arptables support also have one. If this is what bugs people here, I can remove it, and resubmit. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
