Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > We can keep those sysctls there in bridge.ko and deprecated them in > favour of br_netlink. I think we can add some IFLA_BRPORT_NF for the > setlink command to replace the existing global proc nf-call-thing. > We'll have to enhance the 'bridge' tool in iproute2 to support this. Not sure this is needed. Patrick added support for a per-bridge sysfs flag a while back. > > Then, in two years or so, we would remove the autoload hook > > in the packet procesing path. > > Agreed. By that time, we can kill the bridge.ko <-> br_netfilter.ko > dependency and the /proc call-nf-bridge stuff in favour of br_netlink. > > Let me know if you still have any concern. Thanks. Yes, well... I am afraid Patrick is right, we cannot remove it without breaking some setups. So, what to do? I think the first step would be to go ahead and split the hook glue to a separate module, and then add the autoprobing from the packet processing path (only loading br_nf module when needed). We could still add a deprecation warning later on (aka 'please modprobe br_nf_core' instead). But yes, Patricks probably right, waiting two years doesn't make it more 'safe' than waiting 6 months... What _might_ help is if there was an easy (and fast) way to tell wheter iptables rules are loaded (right now it checks for active netfilter hooks). Then, we could restrict the autoload to arp/ip(6)tables and not load the br_nf glue module when nft is used instead. That will allow removing autload with iptables removal. Yes, I know this is in a very distant future... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
