Bart De Schuymer wrote: > bridge-netfilter: simplify IP DNAT and fix IP DNAT on encapsulated packets > > - Add some code in br_device.c::br_dev_xmit() which enables the > removal of br_netfilter.c::br_nf_local_out(). The function > br_nf_local_out() was needed because the PF_BRIDGE::LOCAL_OUT hook > could be called when IP DNAT happens on to-be-bridged traffic. The > new scheme eliminates this mess. > - Speed up IP DNAT. To obtain the correct destination MAC address, > neigh_hh_output() or dst->neighbour->output() is called. In both > cases this results in the queueing of the packet. However, if dst->hh > is available, we already know the MAC address so we can just copy it > instead, removing the need for neigh_hh_output(). This MAC address is > copied in the new function neigh_hh_bridge(). > - fix IP DNAT on vlan- or pppoe-encapsulated traffic: The functions > neigh_hh_output() or dst->neighbour->output() overwrite the complete > Ethernet header, although we only need the destination MAC address. > For encapsulated packets, they ended up overwriting the encapsulating > header. The new code copies the Ethernet source MAC address and > protocol number before calling dst->neighbour->output(). The Ethernet > source MAC and protocol number are copied back in place in > br_nf_pre_routing_finish_bridge_slow(). This also makes the IP DNAT > more transparent because in the old scheme the source MAC of the > bridge was copied into the source address in the Ethernet header. We > also let skb->protocol equal ETH_P_IP resp. ETH_P_IPV6 during the > execution of the PF_INET resp. PF_INET6 hooks. Besides patch 5 these all look fine to me. Regarding this one, the individual changes don't seem to strictly depend on each other. Would it be possible to split this up further to make review (and potentially bisections) easier? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
