Bart De Schuymer wrote: > Patrick McHardy schreef: >> Also proper ETH_* values please. But I'm wondering, we already save >> the entire header in br_nf_post_routing(). Can't that be done earlier >> so the upper layers don't have to care about this stuff and can simply >> attach the original nf_bridge reference? >> >> > If you don't save the correct MAC address for the newly created skbuff > in ipt_REJECT, there is no way to get it back later. Furthermore, if you > save the header too early, MAC SNAT and DNAT might have changed the > header and you have to resave the header anyway. Yes, we need to save it at some point. My idea was that we might be able to save it in PREROUTING instead of POSTROUTING and only do nskb->nf_bridge = nf_bridge_get(oskb->nf_bridge) in ipt_REJECT and probably also the ICMP code. MAC NAT could be handled by updating the bridge info simultaneously. >> I'm also wondering - how are ICMP rejects handled? >> >> > Good question :-) > ICMP packets currently get sent with a source IP and MAC address of the > bridge. If the bridge doesn't have an IP address but does have a > suitable route, the source address is 0.0.0.0. I'll look into fixing this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
