From: Tom Eastep <teastep@shorewall.net>
To: netfilter-devel@lists.netfilter.org
Subject: Policy match with a bridge
Date: Sat, 14 Aug 2004 17:32:08 -0700 [thread overview]
Message-ID: <411EAF08.3000401@shorewall.net> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm seeing odd behavior of policy match when used with a bridge.
wookie:/backup # iptables -L -n -v
Chain INPUT (policy ACCEPT 12M packets, 1412M bytes)
~ pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 57181 packets, 12M bytes)
~ pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 16M packets, 21G bytes)
~ pkts bytes target prot opt in out source
destination
wookie:/backup # iptables -A OUTPUT -m policy --pol ipsec --dir out -j LOG
wookie:/backup # ping tipper
PING tipper.shorewall.net (192.168.1.8) 56(84) bytes of data.
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=1 ttl=64
time=4.45 ms
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=2 ttl=64
time=3.81 ms
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=3 ttl=64
time=3.48 ms
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=4 ttl=64
time=3.56 ms
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=5 ttl=64
time=4.16 ms
64 bytes from tipper.shorewall.net (192.168.1.8): icmp_seq=6 ttl=64
time=3.71 ms
- --- tipper.shorewall.net ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5010ms
rtt min/avg/max/mdev = 3.483/3.863/4.452/0.340 ms
wookie:/backup # setkey -D
192.168.1.3 192.168.1
~ esp mode=transport spi=170223379(0x0a256713) reqid=0(0x00000000)
~ E: 3des-cbc 7ebd7b0f a852467c ada833a2 3b5744fc 4ab0d47d b347e694
~ A: hmac-sha1 64872be1 24233626 6429e838 8dcb7a15 159bfb12
~ seq=0x00000000 replay=4 flags=0x00000000 state=mature
~ created: Aug 14 11:04:49 2004 current: Aug 14 17:19:23 2004
~ diff: 22474(s) hard: 43200(s) soft: 34560(s)
~ last: Aug 14 11:04:49 2004 hard: 0(s) soft: 0(s)
~ current: 2416880(bytes) hard: 0(bytes) soft: 0(bytes)
~ allocated: 8941 hard: 0 soft: 0
~ sadb_seq=1 pid=30723 refcnt=0
192.168.1.8 192.168.1.3
~ esp mode=transport spi=233099158(0x0de4cf96) reqid=0(0x00000000)
~ E: 3des-cbc ce5a582a f621e4e5 84597866 ef941902 f4140957 01ada36d
~ A: hmac-sha1 3a9394f7 439b0f4e 4fed679a 74710c67 c658146e
~ seq=0x00000000 replay=4 flags=0x00000000 state=mature
~ created: Aug 14 11:04:49 2004 current: Aug 14 17:19:23 2004
~ diff: 22474(s) hard: 43200(s) soft: 34560(s)
~ last: Aug 14 11:04:49 2004 hard: 0(s) soft: 0(s)
~ current: 1208740(bytes) hard: 0(bytes) soft: 0(bytes)
~ allocated: 12222 hard: 0 soft: 0
~ sadb_seq=0 pid=30723 refcnt=0
wookie: /backup # iptables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 16M packets, 21G bytes)
~ pkts bytes target prot opt in out source
destination
~ 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
LOG flags 0 level 4
wookie:/backup # brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0040d0073a1b no eth1
~ eth0
~ eth2
wookie:/backup # ip addr ls br0
6: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
~ link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
~ inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
~ inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
~ valid_lft forever preferred_lft forever
wookie:/backup # uname -a
Linux wookie 2.6.5-7.104-default #1 Wed Jul 28 16:42:13 UTC 2004 i586
i586 i386 GNU/Linux
wookie:/backup #
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBHq8IO/MAbZfjDLIRAvKSAJ94NFMjdEYBOFzZeh0Cg2LpCpLYZgCdHl/7
NTIe5dxB4jbSMfvSEu0Am7s=
=q4Ie
-----END PGP SIGNATURE-----
next reply other threads:[~2004-08-15 0:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-15 0:32 Tom Eastep [this message]
2004-08-15 12:55 ` Policy match with a bridge Patrick McHardy
2004-08-15 15:04 ` Tom Eastep
2004-08-16 1:31 ` [Bridge] " Patrick McHardy
2004-08-16 1:31 ` Patrick McHardy
2004-08-16 1:43 ` [Bridge] " Tom Eastep
2004-08-16 1:43 ` Tom Eastep
2004-08-19 18:10 ` [Bridge] " Bart De Schuymer
2004-08-19 18:10 ` Bart De Schuymer
2004-10-14 0:23 ` Tom Eastep
2004-10-14 0:23 ` [Bridge] " Tom Eastep
2004-10-14 6:24 ` Bart De Schuymer
2004-10-14 6:24 ` Bart De Schuymer
2004-10-16 13:30 ` [Bridge] " Bart De Schuymer
2004-10-16 13:30 ` Bart De Schuymer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=411EAF08.3000401@shorewall.net \
--to=teastep@shorewall.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.