From: Volker Sauer <volker@volker-sauer.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Philip Craig <philipc@snapgear.com>,
netfilter@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: Problem with new --physdev-out style
Date: Wed, 24 Oct 2007 14:57:19 +0200 [thread overview]
Message-ID: <20071024125718.GA27909@volker-sauer.de> (raw)
In-Reply-To: <471F3F4B.80205@trash.net>
[-- Attachment #1: Type: text/plain, Size: 1611 bytes --]
On Mi, 24 Okt 2007, Patrick McHardy <kaber@trash.net> wrote:
> >This means, that all rules like that are valid even with the new concept
> >of netfilter, right?? But why do I get error messages like quoted in my
> >first mail for these rules - it *is* bridged traffic inside *one*
> >bridge!
> >And: I don't see how --physdev-is-bridged should help, since it's a
> >match and not a command to the kernel saying: "this *is* bridged
> >traffic". It the kernel does not see this by itself,
> >--physdev-is-bridged doesn't help.
>
> Whether you believe it or not, this is the only way to tell
> the physdev match that the rule only affects purely bridged
> traffic.
Aah, now I get it! This way I can avoid the error message....
Great, I'll test it as soon as I'm back to the lab.
> Does not work since one of the devices might be put in a different
> bridge after you loaded the rules.
Yes, you're right.
Then the only solution is to improve the error messages.
> >If no, display a message like this:
> >
> >"physdev match: using --physdev-out in the FORWARD chains is only
> >allowed if all physical interfaces are members of the same bridge."
>
>
> Feel free to send a patch to improve the error messages.
Oh, I'll see if I can patch kernel 2.6.23.1.
Regards
Volker
--
Volker Sauer * Poststrasse 1/601 * 64293 Darmstadt * Germany
E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de
PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0
http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2007-10-24 12:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-24 7:18 Problem with new --physdev-out style Volker Sauer
2007-10-24 7:38 ` Patrick McHardy
2007-10-24 8:22 ` Philip Craig
2007-10-24 8:34 ` Patrick McHardy
2007-10-24 8:43 ` Pascal Hambourg
2007-10-24 9:15 ` Philip Craig
2007-10-24 9:22 ` Pascal Hambourg
2007-10-24 9:39 ` Philip Craig
2007-10-24 9:46 ` Pascal Hambourg
2007-10-24 9:05 ` Philip Craig
2007-10-24 9:42 ` Patrick McHardy
2007-10-24 12:06 ` Volker Sauer
2007-10-24 12:49 ` Patrick McHardy
2007-10-24 12:57 ` Volker Sauer [this message]
2007-10-24 14:11 ` Pascal Hambourg
2007-10-24 15:18 ` Volker Sauer
2007-10-24 9:28 ` Philip Craig
2007-10-24 8:36 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071024125718.GA27909@volker-sauer.de \
--to=volker@volker-sauer.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=philipc@snapgear.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.