2.6.0-test9, bridge firewall, interface specification

All of lore.kernel.org
 help / color / mirror / Atom feed

* 2.6.0-test9, bridge firewall, interface specification
@ 2003-11-06 21:07 Tim Gardner
  2003-11-06 21:52 ` Cedric Blancher
  0 siblings, 1 reply; 3+ messages in thread
From: Tim Gardner @ 2003-11-06 21:07 UTC (permalink / raw)
  To: netfilter

I have a well behaved bridge firewall using 2.4.22 with the relevant P-O-M 
patches applied. In testing 2.6.0-test9 I have determined that interface 
specification on a rule no longer works. For example, the first rule in the 
set that should catch 99% of all inbound TCP packets is

iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

If the interface is specifed, then this rule does not accrue any packets. Is 
this an expected change in behavior from 2.4.22?
-- 
Tim Gardner - timg@tpi.com 406-443-5357
TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: 2.6.0-test9, bridge firewall, interface specification
  2003-11-06 21:07 2.6.0-test9, bridge firewall, interface specification Tim Gardner
@ 2003-11-06 21:52 ` Cedric Blancher
       [not found]   ` <1068155572.818.19.camel-C+0P+FOGv0rbFIwZ3jqLltgfHpRXVu16X36uYwy3hK3k1uMJSBkQmQ@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Cedric Blancher @ 2003-11-06 21:52 UTC (permalink / raw)
  To: timg; +Cc: netfilter

Le jeu 06/11/2003 à 22:07, Tim Gardner a écrit :
> I have a well behaved bridge firewall using 2.4.22 with the relevant P-O-M 
> patches applied. In testing 2.6.0-test9 I have determined that interface 
> specification on a rule no longer works. For example, the first rule in the 
> set that should catch 99% of all inbound TCP packets is
> 
> iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> If the interface is specifed, then this rule does not accrue any packets. Is 
> this an expected change in behavior from 2.4.22?

When using a bridged firewall with 2.6 kernels, inbound interface is
bridge interface, i.e. br0, and it is outbound one as well...
That's why you have physdev match that allows one to match the
_physical_ interface, among all ones belonging to the bridge, that
actually received the packet.


cbr@elendil:~$ iptables -m physdev --help
iptables v1.2.8
[...]
physdev v1.2.8 options:
 --physdev-in [!] input name[+] bridge port name ([+] for wildcard)
 --physdev-out [!] output name[+] bridge port name ([+] for wildcard)


So, in your case :

	iptables -A FORWARD -i br0 -m physdev --physdev-in $EXTIF \
		-m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: 2.6.0-test9, bridge firewall, interface specification
       [not found]   ` <1068155572.818.19.camel-C+0P+FOGv0rbFIwZ3jqLltgfHpRXVu16X36uYwy3hK3k1uMJSBkQmQ@public.gmane.org>
@ 2003-11-06 22:11     ` Tim Gardner
  0 siblings, 0 replies; 3+ messages in thread
From: Tim Gardner @ 2003-11-06 22:11 UTC (permalink / raw)
  To: Cedric Blancher
  Cc: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r,
	ebtables-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f

Way cool. Thanks for the note. It works again.

On Thursday 06 November 2003 14:52, Cedric Blancher wrote:
> Le jeu 06/11/2003 à 22:07, Tim Gardner a écrit :
> > I have a well behaved bridge firewall using 2.4.22 with the relevant
> > P-O-M patches applied. In testing 2.6.0-test9 I have determined that
> > interface specification on a rule no longer works. For example, the first
> > rule in the set that should catch 99% of all inbound TCP packets is
> >
> > iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j
> > ACCEPT
> >
> > If the interface is specifed, then this rule does not accrue any packets.
> > Is this an expected change in behavior from 2.4.22?
>
> When using a bridged firewall with 2.6 kernels, inbound interface is
> bridge interface, i.e. br0, and it is outbound one as well...
> That's why you have physdev match that allows one to match the
> _physical_ interface, among all ones belonging to the bridge, that
> actually received the packet.
>
>
> cbr-4hKyKyxg39Y@public.gmane.org:~$ iptables -m physdev --help
> iptables v1.2.8
> [...]
> physdev v1.2.8 options:
>  --physdev-in [!] input name[+] bridge port name ([+] for wildcard)
>  --physdev-out [!] output name[+] bridge port name ([+] for wildcard)
>
>
> So, in your case :
>
> 	iptables -A FORWARD -i br0 -m physdev --physdev-in $EXTIF \
> 		-m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
Tim Gardner - timg-l6nL5VImRDY@public.gmane.org 406-443-5357
TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2003-11-06 22:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-06 21:07 2.6.0-test9, bridge firewall, interface specification Tim Gardner
2003-11-06 21:52 ` Cedric Blancher
     [not found]   ` <1068155572.818.19.camel-C+0P+FOGv0rbFIwZ3jqLltgfHpRXVu16X36uYwy3hK3k1uMJSBkQmQ@public.gmane.org>
2003-11-06 22:11     ` Tim Gardner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.