[Ebtables-devel] br_forward_finish & br_nf_local_out_finish in 2.4.x vs. 2.6.x

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I have a question:

In linux-2.4.21/net/bridge/br_netfilter.c::br_nf_local_out()
-------------------------------------------------------------------------------
734     /* IP forwarded traffic has a physindev, locally
735      * generated traffic hasn't.
736      */
737     if (realindev != NULL) {
738         if (((nf_bridge->mask & BRNF_DONT_TAKE_PARENT) == 0) &&
739             has_bridge_parent(realindev))
740             realindev = bridge_parent(realindev);
741         NF_HOOK_THRESH(pf, NF_IP_FORWARD, skb, realindev,
742                    realoutdev, okfn,
743                    NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD + 1);
744     } else {
745 #ifdef CONFIG_NETFILTER_DEBUG
746         skb->nf_debug ^= (1 << NF_IP_LOCAL_OUT);
747 #endif
748
749         NF_HOOK_THRESH(pf, NF_IP_LOCAL_OUT, skb, realindev,
750                    realoutdev, okfn,
751                    NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT + 1);
752     }
-------------------------------------------------------------------------------

In above code snippets, okfn points to
net/bridge/br_forward.c::br_forward_finish(), which means the IP
packets locally generated will NOT pass through the ebtables OUTPUT
chain in filter table, right?

However, in linux-2.6.11 kernel, okfn points to
net/bridge/br_netfilter.c::br_nf_local_out_finish(), which means  the
IP packets locally generated will pass through the ebtables OUTPUT
chain in filter table, right?

Why is there different behavior between 2.4.x and 2.6.11?

Thanks,
Fei