RE: br_netfilter post routing hook question...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The product is a router and the bridge (br0) is connecting the lan to wlan.  The module only wants to examine packets on the bridge for qos purposes - to wlan and so I can, at the bridge layer, check for packets to/from ath0 (the wireless port).  At PF_INET I would only see br0 so my qos scope would be too wide.

TBH I wondered if I could have implemented a qdisc on ath0 and that might have been more efficient to track packets to/from wlan.  Though I don't know if qdisc can monitor rx packets - I know they can do tx as I have implemented them before.

The forward path would also expose me (at pf_inet) to wan<->bridge traffic too - I am conscious of the exposure to traffic volume and slowing the system down - I have a performance target to hit and am struggling to do so at the moment.

But I am also new to all this so am still in learning mode.

Oh and the comment in the c code says ip_refrag() but it actually calls ip_fragment() at the end of the post routing operation.  The bridge always returns STOLEN so maybe that is why it needs to be PRI_LAST???

Cheers for the advice. 

Gareth



-----Original Message-----
From: agashi shipora [mailto:gashipo@xxxxxxxxx] 
Sent: 02 April 2010 18:26
To: Gareth Williams
Cc: netfilter-devel@xxxxxxxxxxxxxxx
Subject: Re: br_netfilter post routing hook question...

Hi,

I don't know if br_nf_post_routing can be assigned a priority
NF_BR_PRI_LAST-1. I couldn't find ip_refrag definition in 2.6.30.

As br_netfilter.c invokes the NF_INET_POST_ROUTING hook.I was thinking
if registering your module at NF_INET_POST_ROUTING (PF_INET) after
ipt_post_routing_hook(mangle table), nf_nat_out(nat table) and before
ipv4_confirm (conntrack) would help.

Ofcourse this would mean your module would come into picture for
routed packets too.

Thanks
GP

On Fri, Apr 2, 2010 at 7:48 PM, Gareth Williams <gwilliams@xxxxxxxxxx> wrote:
> Hello chaps.
>
> I have a module which hooks into the bridge on the post routing hook
> (PF_BRIDGE).
>
> I also enable bridge netfilter to allow iptables rules to process
> packets - I set rules on the post_routing chain (mangle table) to set
> marks on packets.
>
> Unfortunately I cannot see these marks in my code because the priority
> on the bridge_netfilter post routing hook is PRI_LAST.
>
> Since it is PRI_LAST I have no room to put my hook lower than it - so I
> will never see these marks.
>
> The comment in br_netfilter.c for this hook says it has to be PRI_LAST
> because ip_refrag() can return STOLEN - but does it really have to be
> LAST???  Can't it be say, last-1 so I have at least some room to move my
> module to see those marks?
>
> I know I could enable ebtables and do it that way but I am happy using
> the conntrack facilities within the iptables framework to monitor
> connections over the bridge.  The product I am working on also has
> limited power and adding yet another set of tables and hooks would just
> cause more slowdown in the fast path - something I don't think we can
> stand right now.
>
> Am I missing something obvious?
>
> Cheers for any advice.
>
> Gareth
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux