On Sat, Dec 29, 2018 at 02:13:23AM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Should we fix this from the kernel? ie. like we do with conntracking, > > track how many rules with physdev are loaded to register the > > br_netfilter hooks? > > I don't see how this is possible -- it would require to change > the default of the sysctls to 0. > > And we don't know if br_netfilter gets loaded because of the > physdev dependency or because its due to 'modprobe br_netfilter' > by the user. > > In the second case, changing the defaults alters behaviour in > an incompatible way. > > Only solution I see is to get rid of the module dependency > in physdev (its artificial) and make checkentry() call > request_module() once. > > Not sure thats better, but it would avoid this problem, as > '-D ... -m physdev' doesn't call checkentry. request_module() should be fine. Long time ago br_netfilter used to be built-in into the bridge module, this was very much defeating the purpose of the nf_hook static_key at that time - that was not good. This symbol stub trick was added to relieve the impact of changing such change in default behaviour time ago, ie. if physdev is used, user wants br_netfilter module. Using request_module() would just relax the dependency a bit - since you could now rmmod br_netfilter - but this still will serve for the purpose of helping users that are jumping from an old Linux kernel to more recent ones.
