Re: Reject on a Bridge - Grant Taylor

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Reject on a Bridge
Date: Thu, 04 Sep 2008 11:18:39 -0500	[thread overview]
Message-ID: <48C00A5F.2080104@riverviewtech.net> (raw)
In-Reply-To: <d95317090809031541n396f4ddao29dbbfa196801f64@mail.gmail.com>

On 09/03/08 17:41, Gilad Benjamini wrote:
> I am using iptables to run a firewall on a bridge. The bridge 
> consists of eth1 and eth2. Neither interface, nor the bridge itself, 
> have an IP address. eth0, which is not on the bridge, does have an IP 
> address.
> 
> Trying to use the REJECT target with --tcp-reset doesn't work. If I 
> understand the code correctly, the route for the RST packet is 
> determined through ip_route_me_harder in the send_reset function, 
> implying in my case that the RST packet will leave through eth0, 
> which is not the desired behavior. Theoretically, eth0 might be even 
> physically disconnected from the bridged network.
> 
> Am I missing something, or is this a real problem ?

I'm not sure where the rejection is going to come from.  At least as I 
understand it the rejection comes from a system (with an IP) in the path 
that is refusing to pass the packet.  Thus I don't see how the bridge 
can reject the packet because there is no source IP to send the 
rejection from.  Can you add an IP to the bridge interface that is with 
in the subnet that is being bridged through it so that there is a source 
IP for the rejection?



Grant. . . .

next prev parent reply	other threads:[~2008-09-04 16:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-03 22:41 Reject on a Bridge Gilad Benjamini
2008-09-04 16:18 ` Grant Taylor [this message]
2008-09-04 16:44   ` billycrook
2008-09-15  8:03 ` Gilad Benjamini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48C00A5F.2080104@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox