Re: Problem with new --physdev-out style

[Volker Sauer <volker@volker-sauer.de>]

[-- Attachment #1: Type: text/plain, Size: 2985 bytes --]

On Mi, 24 Okt 2007, Patrick McHardy <kaber@trash.net> wrote:

> You're right.

Yes, he's right but only for 5 of my rules which indeed bridge between
bridges (-i $BR_GUEST -o $BR_INT).

Let me summarize the discussion so far:

The warning message means, that --physdev-out can not be used, if the
packet is actually forwarded (instead of bridged) between two interfaces
even if both interfaces are bridges. In this case you either need
proxy-arp or you need to filter by other things than physdev or yo need
some magic with marking the packets.
Okay, so far so good. I can live with that, since bridging between two
bridges is only an exemption. Usually I have only one bridge inside the
firewall with physin and physout rules. This is the case for all my
firewalls except the one I took the example from and this can easily be
fixed by removing --physdev-out and using -s or -d or something like
this. It's just the firewall of my testing site.

Coming to the real point:

99% of my rules on all my firewalls are like that:

$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_INT
--physdev-out $IF_DMZ -s $ZAPHOD -j ACCEPT

IF_INT (eth1) and IF_DMZ (vlan3) are both members of BR_INT (br-intern):

fw1: ~ # brctl show
br-intern               8000.000d88cd28c1       yes     eth1
                                                        vlan3

This means, that all rules like that are valid even with the new concept
of netfilter, right?? But why do I get error messages like quoted in my
first mail for these rules - it *is* bridged traffic inside *one*
bridge!
And: I don't see how --physdev-is-bridged should help, since it's a
match and not a command to the kernel saying: "this *is* bridged
traffic". It the kernel does not see this by itself,
--physdev-is-bridged doesn't help.


From all your answers, I still do not get, why this rule is supposed
not to work anymore!!


If my arguments are correct, I suggest the following improvement:

In case someone is using physdev in OUTPUT, display the message like it
is now: "using --physdev-out in the OUTPUT chains for non-bridged traffic
is not supported anymore".

In case it is used inside FORWARD, check if all physdev interfaces are
members of the same bridge. If yes, accept the rule, because then it is
allowed to use it!!!  (Which is the case all the thousands of rules in
my firewalls except the 5 that I sent to this list :-().
If no, display a message like this:

"physdev match: using --physdev-out in the FORWARD chains is only 
allowed if all physical interfaces are members of the same bridge."


What do thing about that?

Regards
Volker


-- 
  Volker Sauer  *  Poststrasse 1/601   *   64293 Darmstadt  *   Germany
  E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de
  PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0
  http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]