From: Peter Warasin <peter@endian.com>
To: netfilter-devel@vger.kernel.org
Subject: physdev-out
Date: Fri, 08 Feb 2008 19:26:33 +0100 [thread overview]
Message-ID: <47AC9ED9.8020506@endian.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]
Hi guys
I run into the same problem like some other people (Like Philip and Greg
as far as google tells me) here on the list.
I try to warm-up the discussion, since I think currently it's no good
solution.
Since --physdev-out does not work anymore for connections coming from
outside the bridge, it's not possible anymore to *simply* create some
sort of filter rules.
I understand that you can solve the problem by creating rules by ip
addresses
instead of physdev-out devices and then allow by ebtables only that ip
addresses on that devices of which you know they are behind.
Or, you mark and then filter with ebtables by the nfmark.
That's the solution I chose, since I do not always know which ip pools I
have behind that interface. It would be ways easier to simply filter
by physdev-out.
But, this nfmark story turned out to be really a complex, complicated
nightmare, where you end debugging your rules with a pocket calculator.
Needless to say that it is error-prone at its best. And some cases you
even can't map with.
The necessity to filter physdev-out interfaces happens mostly if you need
bridged vpn endpoints, like Philip had.
You bridge together a vpn endpoint with a local bridge, due to protocols
where this is necessary, and at the same time you want to restrict the
traffic
coming from another device (which is not within the bridge) which needs
to go
into the vpn.
I understand that this change was necessary and it's saner now and that
it solved other problems. But I think that old functionality is somehow
saner to use. The possible solutions I am aware of IMHO are just
workarounds,
which sooner or later bring people in trouble.
Now I am not that familiar with that code and it takes me surely a while to
understand if there could be a sane solution.
So I would like to ask if you guys know of a better solution or can help
me going in the right direction.
thanks
peter
--
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com :: peter@endian.com
[-- Attachment #2: peter.vcf --]
[-- Type: text/x-vcard, Size: 279 bytes --]
begin:vcard
fn:Peter Warasin
n:;Peter Warasin
org:Endian GmbH/Srl
adr:;;Pillhof 47;Frangart/Frangarto;BZ;I-39010;Italien/Italia
email;internet:peter@endian.com
tel;work:+39 0471 631763
tel;fax:+39 0471 631764
x-mozilla-html:FALSE
url:http://www.endian.com
version:2.1
end:vcard
reply other threads:[~2008-02-08 18:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47AC9ED9.8020506@endian.com \
--to=peter@endian.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.