From: Patrick McHardy <kaber@xxxxxxxxx> Date: Fri, 11 Jan 2008 18:56:56 +0100 > [NETFILTER]: bridge: fix double POST_ROUTING invocation > > The bridge code incorrectly causes two POST_ROUTING hook invocations > for DNATed packets that end up on the same bridge device. This > happens because packets with a changed destination address are passed > to dst_output() to make them go through the neighbour output function > again to build a new destination MAC address, before they will continue > through the IP hooks simulated by bridge netfilter. > > The resulting hook order is: > PREROUTING (bridge netfilter) > POSTROUTING (dst_output -> ip_output) > FORWARD (bridge netfilter) > POSTROUTING (bridge netfilter) > > The deferred hooks used to abort the first POST_ROUTING invocation, > but since the only thing bridge netfilter actually really wants is > a new MAC address, we can avoid going through the IP stack completely > by simply calling the neighbour output function directly. > > Tested, reported and lots of data provided by: Damien Thebault <damien.thebault@xxxxxxxxx> > > Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> Applied, thanks Patrick. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
