Patrick McHardy wrote:
ron lai wrote:
I've verified that the module works fine if no bridge is used.
Unfortunately the patch doesn't fix the 2-calls-of-the-helper-function
problem if a bridge is applied to the system.
Strange, I can't reproduce this. To clarify - you're using only a
single bridge with one device, or two bridges with one device each?
I can reproduce this with forwarding between two bridges.
The reason is that skb->nf_bridge still contains the data
from the first bridge and so br_netfilter thinks this is
a bridged packet. I don't know how this is supposed to work,
but it seems to me that on packets going out a bridge device
this should be reset in case it originates from a different
bridge (actually I think it should be reset unconditionally
but that would probably break bridged DNAT).
Bart, what do you think about changing this:
static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff
*skb, ...
{
...
nf_bridge = skb->nf_bridge;
if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
return NF_ACCEPT;
to:
if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
nf_bridge_put(skb->nf_bridge),
skb->nf_bridge = NULL;
return NF_ACCEPT;
}
?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
