From: Jonathan Tripathy <jonnyt@abpni.co.uk>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>, netfilter@vger.kernel.org
Subject: Re: Bridges
Date: Tue, 24 Aug 2010 18:37:11 +0100 [thread overview]
Message-ID: <4C740347.3010508@abpni.co.uk> (raw)
In-Reply-To: <4C73DABD.7080007@plouf.fr.eu.org>
On 24/08/10 15:44, Pascal Hambourg wrote:
> Jonathan Tripathy a écrit :
>
>> Ok, so as I understand Linux, and please correct me if I'm wrong, when a
>> packet comes into a physical interface on a Linux machine, regardless of
>> the status of the net.ipv4.conf.<interface>.forwarding, Linux will
>> always put the packet onto a "chain". This will either be the INPUT
>> chain or the FORWARD chain. Is that correct?
>>
> This is correct if you consider only the IP layer (IP stack, IP
> packets). If you consider the link layer (bridging, VLAN, bonding,
> tunnels...) things get more complicated.
>
>
>> Next, if the packet it destined for an IP of one of the local
>> interfaces, it puts it onto the INPUT chain, correct?
>>
> Correct.
>
>
>> However if the packet it destined for a non-local host, it puts it onto
>> the FORWARD chain, correct?
>>
> Only if net.ipv4.ip_forward=1 or net.ipv4.conf.<interface>.forwarding=1,
> and the TTL is> 0 after being decremented. Otherwise the packet is
> discarded before entering the FORWARD chain.
>
>
>> Then, when the packet is on the forward chain, it depends on if the
>> incoming interface is connected to a bridge or not.
>>
> No, it doesn't. In the IP stack, the interface type does not not matter.
> Only the routing table matters.
>
> Jan's diagram pointed to by Karel Rericha explains paths in the IP layer
> and the link layer. However bridge-netfilter (the capability to send
> bridged packets through {ip,arp,ipv6}tables chains whereas they are not
> processed by the IP stack) makes things a bit more complicated.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
I think what I am getting confused with is how am I able to use the
FORWARD chain in iptables with my bridge setup, even though forwarding
is disabled?
Thanks
next prev parent reply other threads:[~2010-08-24 17:37 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-17 22:44 Bridges Jonathan Tripathy
2010-08-17 22:56 ` Bridges Jan Engelhardt
2010-08-17 23:34 ` Bridges Stephen Hemminger
2010-08-18 11:27 ` Bridges Thomas Jacob
2010-08-18 19:51 ` Bridges Jonathan Tripathy
2010-08-18 21:51 ` Bridges Grant Taylor
2010-08-18 21:57 ` Bridges Jonathan Tripathy
2010-08-18 22:08 ` Bridges Grant Taylor
2010-08-18 22:15 ` Bridges Jonathan Tripathy
2010-08-18 22:26 ` Bridges Jan Engelhardt
2010-08-18 22:51 ` Bridges Jonathan Tripathy
2010-08-18 23:05 ` Bridges Pascal Hambourg
2010-08-18 23:07 ` Bridges Jonathan Tripathy
2010-08-18 23:21 ` Bridges Pascal Hambourg
2010-08-18 23:23 ` Bridges Jonathan Tripathy
2010-08-18 23:45 ` Bridges Jonathan Tripathy
2010-08-19 7:26 ` Bridges Pascal Hambourg
2010-08-19 18:47 ` Bridges Jonathan Tripathy
2010-08-19 19:26 ` Bridges Pascal Hambourg
2010-08-19 19:37 ` Bridges Jonathan Tripathy
2010-08-19 20:00 ` Bridges Jan Engelhardt
2010-08-19 20:11 ` Bridges Jonathan Tripathy
2010-08-19 21:14 ` Bridges Pascal Hambourg
2010-08-19 21:24 ` Bridges Jonathan Tripathy
2010-08-19 22:04 ` Bridges Pascal Hambourg
2010-08-19 22:53 ` Bridges Jonathan Tripathy
2010-08-20 8:53 ` Bridges Pascal Hambourg
2010-08-21 21:46 ` Bridges Jonathan Tripathy
2010-08-21 23:25 ` Bridges Jan Engelhardt
[not found] ` <4C70E853.6050107@abpni.co .uk>
2010-08-22 9:05 ` Bridges Jonathan Tripathy
2010-08-22 9:09 ` Bridges Jan Engelhardt
[not found] ` <4C70E 9A2.3040907@abpni.co.uk>
2010-08-22 9:10 ` Bridges Jonathan Tripathy
2010-08-22 21:02 ` Bridges Pascal Hambourg
[not found] ` <4C7194 D3.7070803@abpni.co.uk>
2010-08-22 21:21 ` Bridges Jonathan Tripathy
2010-08-23 8:22 ` Bridges Pascal Hambourg
2010-08-23 20:18 ` Bridges Jonathan Tripathy
2010-08-24 8:57 ` Bridges Karel Rericha
2010-08-24 14:44 ` Bridges Pascal Hambourg
2010-08-24 17:37 ` Jonathan Tripathy [this message]
2010-08-24 18:07 ` Bridges Pascal Hambourg
2010-08-24 18:34 ` Bridges Jonathan Tripathy
2010-08-24 22:20 ` Bridges Pascal Hambourg
2010-08-20 8:38 ` Bridges Jan Engelhardt
2010-08-20 9:05 ` Bridges Pascal Hambourg
2010-08-20 9:09 ` Bridges Jan Engelhardt
2010-08-20 10:26 ` Bridges Pascal Hambourg
2010-08-20 16:02 ` Bridges Grant Taylor
2010-08-20 16:18 ` Bridges Jan Engelhardt
2010-08-20 16:25 ` Bridges Grant Taylor
2010-08-20 16:32 ` Bridges Jan Engelhardt
2010-08-21 12:48 ` Bridges Pascal Hambourg
2010-08-21 21:44 ` Bridges Grant Taylor
2010-08-19 19:28 ` Bridges Jan Engelhardt
2010-08-18 22:59 ` Bridges Pascal Hambourg
2010-08-18 23:00 ` Bridges Jonathan Tripathy
2010-08-18 23:11 ` Bridges Pascal Hambourg
2010-08-19 8:29 ` Bridges Jan Engelhardt
2010-08-19 9:16 ` Bridges Pascal Hambourg
2010-08-19 3:52 ` Bridges Grant Taylor
2010-08-19 7:33 ` Bridges Pascal Hambourg
2010-08-19 14:51 ` Bridges Grant Taylor
2010-08-19 14:56 ` Bridges Jan Engelhardt
2010-08-19 15:49 ` Bridges Grant Taylor
2010-08-19 16:21 ` Bridges Jan Engelhardt
2010-08-19 16:41 ` Bridges Grant Taylor
2010-08-19 17:10 ` Bridges Jan Engelhardt
2010-08-19 18:36 ` Bridges Grant Taylor
2010-08-19 17:10 ` Bridges Rick Jones
-- strict thread matches above, loose matches on Subject: below --
2009-05-07 15:57 bridges Ross Boylan
[not found] ` <4A03169C.60301@cs.ualberta.ca>
2009-05-07 17:48 ` bridges Ross Boylan
2009-05-07 19:19 ` bridges Cam Macdonell
2009-05-07 21:15 ` bridges Matthew Palmer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C740347.3010508@abpni.co.uk \
--to=jonnyt@abpni.co.uk \
--cc=netfilter@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.