On 14.11.2010 12:56, Kfir Lavi wrote: > On Thu, Nov 11, 2010 at 12:48 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote: >> >> On 11.11.2010 11:05, Kfir Lavi wrote: >>> Hi, >>> It seems to me that its not possible to do a verdict in userspace of >>> ethernet packets, like it is done with nfqueue and iptables. >>> Why it is not implemented? >> >> Nobody ever implemented it. IIRC the main problem is that under >> certain circumstances the packets need to be passed back to >> __netif_receive_skb() when queuing in LOCAL_IN, which isn't >> possible from the completion handler. > > Thanks Patrick for your replay. > Can you explain why it's not possible to pass packets back? Because the completion handler is executed asynchronously, while the bridge receive functions are called directly from __netif_receive_skb(). > Also, why should packets need to be sent back? That's f.i. how the NF_BR_LOCAL_IN handler works for link-local packets. Have a look at br_handle_frame(). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
