From: Tim Gardner <timg-l6nL5VImRDY@public.gmane.org>
To: Cedric Blancher
<blancher-cPThYx3uDionEikN29/hQkZa+K1vlBrA@public.gmane.org>
Cc: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r@public.gmane.org,
ebtables-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: 2.6.0-test9, bridge firewall, interface specification
Date: Thu, 6 Nov 2003 15:11:13 -0700 [thread overview]
Message-ID: <200311061511.13781.timg@tpi.com> (raw)
In-Reply-To: <1068155572.818.19.camel-C+0P+FOGv0rbFIwZ3jqLltgfHpRXVu16X36uYwy3hK3k1uMJSBkQmQ@public.gmane.org>
Way cool. Thanks for the note. It works again.
On Thursday 06 November 2003 14:52, Cedric Blancher wrote:
> Le jeu 06/11/2003 à 22:07, Tim Gardner a écrit :
> > I have a well behaved bridge firewall using 2.4.22 with the relevant
> > P-O-M patches applied. In testing 2.6.0-test9 I have determined that
> > interface specification on a rule no longer works. For example, the first
> > rule in the set that should catch 99% of all inbound TCP packets is
> >
> > iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j
> > ACCEPT
> >
> > If the interface is specifed, then this rule does not accrue any packets.
> > Is this an expected change in behavior from 2.4.22?
>
> When using a bridged firewall with 2.6 kernels, inbound interface is
> bridge interface, i.e. br0, and it is outbound one as well...
> That's why you have physdev match that allows one to match the
> _physical_ interface, among all ones belonging to the bridge, that
> actually received the packet.
>
>
> cbr-4hKyKyxg39Y@public.gmane.org:~$ iptables -m physdev --help
> iptables v1.2.8
> [...]
> physdev v1.2.8 options:
> --physdev-in [!] input name[+] bridge port name ([+] for wildcard)
> --physdev-out [!] output name[+] bridge port name ([+] for wildcard)
>
>
> So, in your case :
>
> iptables -A FORWARD -i br0 -m physdev --physdev-in $EXTIF \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
--
Tim Gardner - timg-l6nL5VImRDY@public.gmane.org 406-443-5357
TriplePoint, Inc. - http://www.tpi.com
PGP: http://www.tpi.com/PGP/Tim.txt
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
prev parent reply other threads:[~2003-11-06 22:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-06 21:07 2.6.0-test9, bridge firewall, interface specification Tim Gardner
2003-11-06 21:52 ` Cedric Blancher
[not found] ` <1068155572.818.19.camel-C+0P+FOGv0rbFIwZ3jqLltgfHpRXVu16X36uYwy3hK3k1uMJSBkQmQ@public.gmane.org>
2003-11-06 22:11 ` Tim Gardner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200311061511.13781.timg@tpi.com \
--to=timg-l6nl5vimrdy@public.gmane.org \
--cc=blancher-cPThYx3uDionEikN29/hQkZa+K1vlBrA@public.gmane.org \
--cc=ebtables-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.