[Bridge] Bridging firewall issue - which interface are packets coming from?

[s24067@rmc.ca]

[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]

Hello folks, I'm hoping someone can help me here. I'll try to describe the problem in detail.

I'm attempting to set up a bridging firewall using libipq. I'm running on Ubuntu Server 7.04, out of the box kernel (2.6.20)
My bridge is set up with the following commands:
--
brctl addbr br0 
brctl stp br0 off
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig eth1 down
ifconfig eth2 down
ifconfig eth1 0.0.0.0 up
ifconfig eth2 0.0.0.0 up
ifconfig br0 0.0.0.0 up
--

IP queue is set up with the following:
--
iptables -A FORWARD -j QUEUE
modprobe ip_queue
--


The bridge works fine. Traffic is sent back and forth. My libipq app can see traffic and stop it. However, one thing I would like to be able to find out in user space is which interface a packet arrived on (ie/ which direction it's going). As far as IPQ is concerned, all packets are arriving and leaving on br0.
After reading a bit more about netfilter, iptables and the FIREWALL document distributed with brctl, I figured my best bet would be do something like this:
iptables -A INPUT -i eth1 -j MARK --set-mark 1
iptables -A INPUT -i eth2 -j MARK --set-mark 2

This way I could just check the mark value when the packet got sent to QUEUE (and up to user space) from the FORWARD chain. However, this doesn't work. From everything I can tell, packets traversing the bridge do not even go through the INPUT chain, as I can put in this rule:
iptables -A INPUT -j DROP

yet traffic still flows through fine (as long as my libipq app is running).


Does anyone here have any ideas? I would really appreciate any suggestions.

Cheers,
David Vessey



[-- Attachment #2: Type: text/html, Size: 1723 bytes --]