On Fri, Aug 03, 2018 at 07:04:44PM +0200, Máté Eckl wrote: > On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote: > > > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and > > > arp but not in case of bridge. > > > > > > This patch exposes the hook priority values of the bridge family (which are > > > different from the formerly mentioned) via uapi so that they can be used by > > > user-space applications just like the others. > > > > Applied, thanks. > > > > One minor glitch, see below. > > > > > Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx> > > > --- > > > The list of the modified files can be validated with the following > > > command: > > > find <kernel source dir> -name "*.[ch]" -exec grep --color -HnE \ > > > "(NF_BR_PRI_FIRST|NF_BR_PRI_NAT_DST_BRIDGED|NF_BR_PRI_FILTER_BRIDGED|NF_BR_PRI_BRNF|NF_BR_PRI_NAT_DST_OTHER|NF_BR_PRI_FILTER_OTHER|NF_BR_PRI_NAT_SRC|NF_BR_PRI_LAST)" \ > > > {} \; | cut -d ":" -f1 | uniq > > > > > > include/linux/netfilter_bridge.h | 11 ----------- > > > include/uapi/linux/netfilter_bridge.h | 11 +++++++++++ > > > net/bridge/br_netfilter_hooks.c | 1 + > > > net/bridge/netfilter/ebtable_filter.c | 1 + > > > net/bridge/netfilter/ebtable_nat.c | 1 + > > > 5 files changed, 14 insertions(+), 11 deletions(-) > > > > > > diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h > > > index b671fdfd212b..fa0686500970 100644 > > > --- a/include/linux/netfilter_bridge.h > > > +++ b/include/linux/netfilter_bridge.h > > > @@ -5,17 +5,6 @@ > > > #include <uapi/linux/netfilter_bridge.h> > > > #include <linux/skbuff.h> > > > > > > -enum nf_br_hook_priorities { > > > - NF_BR_PRI_FIRST = INT_MIN, > > > - NF_BR_PRI_NAT_DST_BRIDGED = -300, > > > - NF_BR_PRI_FILTER_BRIDGED = -200, > > > - NF_BR_PRI_BRNF = 0, > > > - NF_BR_PRI_NAT_DST_OTHER = 100, > > > - NF_BR_PRI_FILTER_OTHER = 200, > > > - NF_BR_PRI_NAT_SRC = 300, > > > - NF_BR_PRI_LAST = INT_MAX, > > > -}; > > > - > > > #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) > > > > > > int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb); > > > diff --git a/include/uapi/linux/netfilter_bridge.h b/include/uapi/linux/netfilter_bridge.h > > > index 12fb77633f83..156ccd089df1 100644 > > > --- a/include/uapi/linux/netfilter_bridge.h > > > +++ b/include/uapi/linux/netfilter_bridge.h > > > @@ -26,4 +26,15 @@ > > > #define NF_BR_BROUTING 5 > > > #define NF_BR_NUMHOOKS 6 > > > > > > +enum nf_br_hook_priorities { > > > > I have renamed this to 'enum nf_br_hooks' to make it consistent with > > 'enum nf_inet_hooks' definition in uapi/linux/netfilter.h before > > applying. > > You should not do that. nf_inet_hooks does not represent hook priority values, > but the hooks themselves. > > nf_br_hook_priorities is analog with nf_ipv4_hook_priorities in nf_ip_hook_priorities > uapi/linux/netfitlter_ipv4.h and also ipv6 and arp equivalets follow the same > convention. Well arp probably does not have this (i can't find it right now), but the rest is still true. > > > > > > + NF_BR_PRI_FIRST = INT_MIN, > > > + NF_BR_PRI_NAT_DST_BRIDGED = -300, > > > + NF_BR_PRI_FILTER_BRIDGED = -200, > > > + NF_BR_PRI_BRNF = 0, > > > + NF_BR_PRI_NAT_DST_OTHER = 100, > > > + NF_BR_PRI_FILTER_OTHER = 200, > > > + NF_BR_PRI_NAT_SRC = 300, > > > + NF_BR_PRI_LAST = INT_MAX, > > > +}; > > > + -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html