On Wed, 20 Aug 2025 16:04:47 +0200 Florian Westphal wrote: > > > Quick question: does inconditional route lookup work for br_netfilter? > > > > Never mind, it should be fine, the fake dst get attached to the skb. > > Good point, this changes behaviour for br_netfilter case, we no > longer call nf_reject_fill_skb_dst() then due to the fake dst. > > I don't think br_netfilter is supposed to do anything (iptables > -j REJECT doesn't work in PRE_ROUTING), and we should not encourage > use of br_netfilter with nftables. > > What about adding a followup patch, targetting nf, that adds: > > if (hook == NF_INET_PRE_ROUTING && nf_bridge_info_exists(oldskb)) > return; > > ? > > After all, there is no guarantee that we have the needed routing > info on a bridge in the first place. Pablo, are you okay with that plan? Would be great to ship this to Linus and therefore net-next today, given the checks recently added there..
