Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > I think the use of skb->cb introduces another dependency between > br_netfilter and the core, which is what we should avoid. I still > have concerns regarding future extensibility issues that this may > introduce: One more thing (sorry, forgot to mention this). We CANNOT avoid dependency between br_netfilter and the core. Its just a matter of what this dependency looks like, and how much of a buren it is wrt. to maintenance and debugability. Currently the dependency is skb->nf_bridge pointer. I proposed to replace this pointer with smaller state + place rest of info in skb->cb, with all the problems that this entails. Using your 'external table' will also require some interaction, I don't see how you'd remove entries from such table except some callback function sitting in kfree_skb path, so we'd have to replace current nf_bridge_put() call with something like if (skb->nf_bridge_state && nf_bridge_info_destructor_hook) nf_bridge_info_destructor_hook(skb); in kfree_skb. We'd also still need the refcounting and figure out a way to handle skb_clone properly (although I *think* we only have to care about those spots where the bridge clones skbs and don't need a generic solution). I admit that your proposal has less 'hidden' dependencies compared to skb->cb based solutions, though. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
