On Mon, 29 Sep 2014 14:39:21 +0200 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Jesper reported that br_netfilter always registers the hooks since > this is part of the bridge core. This harms performance for people that > don't need this. > > This patch modularizes br_netfilter so it can be rmmod'ed, thus, > the hooks can be unregistered. I think the bridge netfilter should have > been a separated module since the beginning, Patrick agreed on that. > > Note that this is breaking compatibility for users that expect that > bridge netfilter is going to be available after explicitly 'modprobe > bridge' or via automatic load through brctl. > > However, the damage can be easily undone by modprobing br_netfilter. > The bridge core also spots a message to provide a clue to people that > didn't notice that this has been deprecated. > > On top of that, the plan is that nftables will not rely on this software > layer, but integrate the connection tracking into the bridge layer to > enable stateful filtering and NAT, which is was bridge netfilter users > seem to require. > > This patch still keeps the fake_dst_ops in the bridge core, since this > is required by when the bridge port is initialized. So we can safely > modprobe/rmmod br_netfilter anytime. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > Acked-by: Florian Westphal <fw@xxxxxxxxx> I think this is a good idea but you can't break users. We need to figure out a way to autoload br_netfilter module on first use. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
