Re: [PATCH] support --physdev-out for routed packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] support --physdev-out for routed packets
Date: Fri, 13 Jul 2007 10:58:03 +1000	[thread overview]
Message-ID: <4696CE1B.1090600@snapgear.com> (raw)
In-Reply-To: <4696225E.3000606@trash.net>

Patrick McHardy wrote:
> Its probably also racy wrt. fdb changes.

Yes.  It could modify the bridging code to only forward to the
physoutdev stored in nf_bridge, or store the fdb result in
nf_bridge and avoid the second fdb lookup.

> The thing I still don't get
> is .. if you combine a bunch of devices in a bridge, why would you
> care which port a packet will leave through? If you already know
> behind which port something is reachable, why use a bridge? And if
> you don't know I suppose you have nothing to filter by.
> 

The devices in the bridge represent different security zones.
Using a bridging firewall gives physical separation of these zones
without requiring additional IP networks or configuration changes
for the machines on those networks.  The security policy has rules
defined primarily in terms of the zones, not the individual machines
in those zones.  Matching on just IP address is not enough, because
it does not enforce the physical separation.

We definitely could configure the firewall to know which address
is behind which port, and enforce this in ebtables.  This is the
solution Shorewall has used (I haven't looked to see if it enforces
the ports).  But that requires more configuration.  Basically it is
just a convenience argument.  I'll definitely be trying to migrate
things to this setup though.

next prev parent reply	other threads:[~2007-07-13  0:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-12  6:40 [PATCH] support --physdev-out for routed packets Philip Craig
2007-07-12 12:45 ` Patrick McHardy
2007-07-13  0:58   ` Philip Craig [this message]
2007-07-13  3:14     ` Philip Craig
2007-07-13 13:12     ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2007-08-04  4:13 Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4696CE1B.1090600@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.