From: Philip Craig <philipc@snapgear.com>
To: Kirk Reiser <kirk@braille.uwo.ca>
Cc: netfilter@lists.netfilter.org
Subject: Re: netfiltering and ethernet bridging doesn't appear to work as advertised, help!
Date: Thu, 22 Jan 2004 10:10:07 +1000 [thread overview]
Message-ID: <400F14DF.9010402@snapgear.com> (raw)
In-Reply-To: <x7r7xt9s5r.fsf@speech.braille.uwo.ca>
Kirk Reiser wrote:
> I'm having a bit of trouble with this statement because to me it
> doesn't seem to make sense without the notion of the interface cards.
> If eth0 is our interface to the net and eth1 our interface to the lan
> then input to an interface makes sense because input to eth0 means one
> set of rules while input to eth1 means a totally separate set. When
> you are talking about a virtual interface such as br0 how do input and
> output relate? Is input meaning packets entering both real interfaces
> eth0 and eth1 or does input mean to the virtual device br0. If the
> latter what direction is input verses output, the order you add the
> NICs? I don't see how this can be.
The bridging patch introduces the concept of physical interfaces. If you
still have eth0 as the Internet interface, and eth1 as the lan interface,
but have them bridged by br0, then a packet from the Internet to the lan
has a physical input interface of eth0, an input interface of br0, a
physical ouput interface of eth1, and an output interface of br0. The -i
and -o matches will match either the physical or 'normal' interface.
So any of the following will match this packet: -i eth0, -i br0, -o eth1,
or -o br0. The -i eth0 and -o eth1 matches will be the most useful.
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
next prev parent reply other threads:[~2004-01-22 0:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-21 14:55 netfiltering and ethernet bridging doesn't appear to work as advertised, help! bmcdowell
2004-01-21 16:34 ` Kirk Reiser
2004-01-22 0:10 ` Philip Craig [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-01-21 17:27 bmcdowell
2004-01-21 11:08 Exempt one IP from DNAT for the whole network alok.shukla
2004-01-21 12:19 ` netfiltering and ethernet bridging doesn't appear to work as advertised, help! Kirk Reiser
2004-01-21 13:20 ` Cedric Blancher
2004-01-21 13:36 ` Kirk Reiser
2004-01-21 13:51 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=400F14DF.9010402@snapgear.com \
--to=philipc@snapgear.com \
--cc=kirk@braille.uwo.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.