From: Volker Sauer <volker@volker-sauer.de>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Problem with new --physdev-out style
Date: Wed, 24 Oct 2007 17:18:50 +0200 [thread overview]
Message-ID: <20071024151850.GA7153@volker-sauer.de> (raw)
In-Reply-To: <471F528D.8000501@plouf.fr.eu.org>
[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]
On Mi, 24 Okt 2007, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> As Patrick said, that condition may change over time. I like to have all my
> ruleset loaded before the network is configured, even before some interfaces
> exist. Your proposed change would prevent it. Besides, my opinion is that it
> is not the job of iptables to do such checks.
Agreed.
>
>> If yes, accept the rule, because then it is
>> allowed to use it!!! (Which is the case all the thousands of rules in
>> my firewalls except the 5 that I sent to this list :-().
>> If no, display a message like this:
>> "physdev match: using --physdev-out in the FORWARD chains is only allowed
>> if all physical interfaces are members of the same bridge."
>
> This is wrong and inacurate. Using --physdev-out in the FORWARD and
> POSTROUTING chains is supported for *bridged* traffic only, period. All
> physical interfaces being members of the same bridge is not a sufficient
> condition to make sure that only bridged traffic will be matched. Traffic
> can still be routed from a bridge to itself.
Yes, it is inacurate.
But I think one needs a better explenation. I'm a power-user but still a
user, not a developer. Users think in different terms and speak another
language.
Maybe an advice like "look for the option "--physdev-is-bridged" - it
may help you" or so would be good.
--
Volker Sauer * Poststrasse 1/601 * 64293 Darmstadt * Germany
E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de
PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0
http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2007-10-24 15:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-24 7:18 Problem with new --physdev-out style Volker Sauer
2007-10-24 7:38 ` Patrick McHardy
2007-10-24 8:22 ` Philip Craig
2007-10-24 8:34 ` Patrick McHardy
2007-10-24 8:43 ` Pascal Hambourg
2007-10-24 9:15 ` Philip Craig
2007-10-24 9:22 ` Pascal Hambourg
2007-10-24 9:39 ` Philip Craig
2007-10-24 9:46 ` Pascal Hambourg
2007-10-24 9:05 ` Philip Craig
2007-10-24 9:42 ` Patrick McHardy
2007-10-24 12:06 ` Volker Sauer
2007-10-24 12:49 ` Patrick McHardy
2007-10-24 12:57 ` Volker Sauer
2007-10-24 14:11 ` Pascal Hambourg
2007-10-24 15:18 ` Volker Sauer [this message]
2007-10-24 9:28 ` Philip Craig
2007-10-24 8:36 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071024151850.GA7153@volker-sauer.de \
--to=volker@volker-sauer.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.