Bart De Schuymer wrote:
Op wo, 07-11-2007 te 12:55 +0100, schreef Patrick McHardy:
Could you check the attached patch?
Looks ok to me.
> Another solution I think is this:
in br_nf_post_routing():
change
if (!nf_bridge)
to
if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED_DNAT))
Wouldn't that break the regular case of packets forwarded
through a single bridge?
Hmm, yes, we'd need to or it with BRNF_BRIDGED. I personally prefer
something like that, leaving the call to nf_bridge_put when the skbuff
is removed. But it's your call :)
Both are fine with me. Does this patch look correct to you?
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index da22f90..ce68284 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -766,6 +766,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
if (!nf_bridge)
return NF_ACCEPT;
+ if (!nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT))
+ return NF_ACCEPT;
+
if (!realoutdev)
return NF_DROP;
