Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Should we fix this from the kernel? ie. like we do with conntracking, > track how many rules with physdev are loaded to register the > br_netfilter hooks? I don't see how this is possible -- it would require to change the default of the sysctls to 0. And we don't know if br_netfilter gets loaded because of the physdev dependency or because its due to 'modprobe br_netfilter' by the user. In the second case, changing the defaults alters behaviour in an incompatible way. Only solution I see is to get rid of the module dependency in physdev (its artificial) and make checkentry() call request_module() once. Not sure thats better, but it would avoid this problem, as '-D ... -m physdev' doesn't call checkentry. > That will be a bit more work... not sure it is worth. I'm not sure > what are the implications of removing this chunk in userspace, ie. > side effects of your workaround. Yes, it un-does changes that went into 1.8.0 release.
