netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* turning off iptables processing for bridged packets
@ 2011-02-27 15:04 Alex Bligh
  2011-02-27 15:21 ` "Oleg A. Arkhangelsky"
  2011-02-27 15:30 ` /dev/rob0
  0 siblings, 2 replies; 3+ messages in thread
From: Alex Bligh @ 2011-02-27 15:04 UTC (permalink / raw)
  To: netfilter; +Cc: Alex Bligh

By default netfilter appears to apply iptables rules (specifically the
FORWARD chain) to bridged packets. Is there a way to turn this off
(i.e. only apply the FORWARD chain to routed packets, not bridged
ones)? I seem to remember there is, but I can't for the life of
me find the configuration setting.

-- 
Alex Bligh

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: turning off iptables processing for bridged packets
  2011-02-27 15:04 turning off iptables processing for bridged packets Alex Bligh
@ 2011-02-27 15:21 ` "Oleg A. Arkhangelsky"
  2011-02-27 15:30 ` /dev/rob0
  1 sibling, 0 replies; 3+ messages in thread
From: "Oleg A. Arkhangelsky" @ 2011-02-27 15:21 UTC (permalink / raw)
  To: Alex Bligh; +Cc: netfilter



27.02.2011, 18:04, "Alex Bligh" <alex@alex.org.uk>:
> By default netfilter appears to apply iptables rules (specifically the
> FORWARD chain) to bridged packets. Is there a way to turn this off
> (i.e. only apply the FORWARD chain to routed packets, not bridged
> ones)? I seem to remember there is, but I can't for the life of
> me find the configuration setting.

net.bridge.bridge-nf-call-iptables = 0

-- 
wbr, Oleg.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: turning off iptables processing for bridged packets
  2011-02-27 15:04 turning off iptables processing for bridged packets Alex Bligh
  2011-02-27 15:21 ` "Oleg A. Arkhangelsky"
@ 2011-02-27 15:30 ` /dev/rob0
  1 sibling, 0 replies; 3+ messages in thread
From: /dev/rob0 @ 2011-02-27 15:30 UTC (permalink / raw)
  To: netfilter

On Sun, Feb 27, 2011 at 03:04:32PM +0000, Alex Bligh wrote:
> By default netfilter appears to apply iptables rules (specifically 
> the FORWARD chain) to bridged packets. Is there a way to turn this 
> off (i.e. only apply the FORWARD chain to routed packets, not 
> bridged ones)? I seem to remember there is, but I can't for the 
> life of me find the configuration setting.

I'm not sure if there is a runtime sysctl, but at compile time your 
option is CONFIG_BRIDGE_NETFILTER.

If you don't want to compile a new kernel, you could put rules 
passing bridge-only traffic at the top of FORWARD:
    -A FORWARD -i br0 -o br0 -j ACCEPT
for example.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-02-27 15:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-27 15:04 turning off iptables processing for bridged packets Alex Bligh
2011-02-27 15:21 ` "Oleg A. Arkhangelsky"
2011-02-27 15:30 ` /dev/rob0

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).