Eric Dumazet wrote: > Le mardi 30 mars 2010 à 16:16 +0200, Bart De Schuymer a écrit : >> @@ -163,7 +166,11 @@ static inline bool __nf_ct_tuple_dst_equ >> { >> return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) && >> t1->dst.u.all == t2->dst.u.all && >> - t1->dst.protonum == t2->dst.protonum); >> + t1->dst.protonum == t2->dst.protonum >> +#ifdef CONFIG_BRIDGE_NETFILTER >> + && likely(t1->dst.vlan_id == t2->dst.vlan_id) >> +#endif >> + ); >> } >> >> static inline bool nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, >> > > This really sounds very strange, layering violation or something. > > You mix conntracking, bridge and vlan here. I agree, this is really wrong. > Why setups without bridge should not care of vlan + conntracking side > effects ? > > This whole idea was discussed last November : > > http://www.spinics.net/lists/netfilter-devel/msg10692.html > > Patrick spoke of 'conntrack zone', and we added this concept. Indeed, this seems like a better way. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html