[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20140919101312.GA2054@breakpoint.cc>
Date: Fri, 19 Sep 2014 12:13:12 +0200
From: Florian Westphal <fw@...len.de>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Florian Westphal <fw@...len.de>, netfilter-devel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH 1/2 v2 nf-next] net: bridge: don't register netfilter
call_iptables hooks by default
Pablo Neira Ayuso <pablo@...filter.org> wrote:
> We can keep those sysctls there in bridge.ko and deprecated them in
> favour of br_netlink. I think we can add some IFLA_BRPORT_NF for the
> setlink command to replace the existing global proc nf-call-thing.
> We'll have to enhance the 'bridge' tool in iproute2 to support this.
Not sure this is needed. Patrick added support for a per-bridge
sysfs flag a while back.
> > Then, in two years or so, we would remove the autoload hook
> > in the packet procesing path.
>
> Agreed. By that time, we can kill the bridge.ko <-> br_netfilter.ko
> dependency and the /proc call-nf-bridge stuff in favour of br_netlink.
>
> Let me know if you still have any concern. Thanks.
Yes, well... I am afraid Patrick is right, we cannot remove it without
breaking some setups.
So, what to do?
I think the first step would be to go ahead and split the hook glue to
a separate module, and then add the autoprobing from the packet processing
path (only loading br_nf module when needed).
We could still add a deprecation warning later on (aka 'please modprobe
br_nf_core' instead). But yes, Patricks probably right, waiting two
years doesn't make it more 'safe' than waiting 6 months...
What _might_ help is if there was an easy (and fast) way to tell wheter
iptables rules are loaded (right now it checks for active netfilter hooks).
Then, we could restrict the autoload to arp/ip(6)tables and not load
the br_nf glue module when nft is used instead.
That will allow removing autload with iptables removal. Yes, I know
this is in a very distant future...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists