Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > Instead of checking hook just check if the skb already has a route > > > attached to it. > > > > Quick question: does inconditional route lookup work for br_netfilter? > > Never mind, it should be fine, the fake dst get attached to the skb. Good point, this changes behaviour for br_netfilter case, we no longer call nf_reject_fill_skb_dst() then due to the fake dst. I don't think br_netfilter is supposed to do anything (iptables -j REJECT doesn't work in PRE_ROUTING), and we should not encourage use of br_netfilter with nftables. What about adding a followup patch, targetting nf, that adds: if (hook == NF_INET_PRE_ROUTING && nf_bridge_info_exists(oldskb)) return; ? After all, there is no guarantee that we have the needed routing info on a bridge in the first place.
