Re: Bridges

[Jonathan Tripathy <jonnyt@abpni.co.uk>]

On 24/08/10 15:44, Pascal Hambourg wrote:
> Jonathan Tripathy a écrit :
>    
>> Ok, so as I understand Linux, and please correct me if I'm wrong, when a
>> packet comes into a physical interface on a Linux machine, regardless of
>> the status of the net.ipv4.conf.<interface>.forwarding, Linux will
>> always put the packet onto a "chain". This will either be the INPUT
>> chain or the FORWARD chain. Is that correct?
>>      
> This is correct if you consider only the IP layer (IP stack, IP
> packets). If you consider the link layer (bridging, VLAN, bonding,
> tunnels...) things get more complicated.
>
>    
>> Next, if the packet it destined for an IP of one of the local
>> interfaces, it puts it onto the INPUT chain, correct?
>>      
> Correct.
>
>    
>> However if the packet it destined for a non-local host, it puts it onto
>> the FORWARD chain, correct?
>>      
> Only if net.ipv4.ip_forward=1 or net.ipv4.conf.<interface>.forwarding=1,
> and the TTL is>  0 after being decremented. Otherwise the packet is
> discarded before entering the FORWARD chain.
>
>    
>> Then, when the packet is on the forward chain, it depends on if the
>> incoming interface is connected to a bridge or not.
>>      
> No, it doesn't. In the IP stack, the interface type does not not matter.
> Only the routing table matters.
>
> Jan's diagram pointed to by Karel Rericha explains paths in the IP layer
> and the link layer. However bridge-netfilter (the capability to send
> bridged packets through {ip,arp,ipv6}tables chains whereas they are not
> processed by the IP stack) makes things a bit more complicated.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>    

I think what I am getting confused with is how am I able to use the 
FORWARD chain in iptables with my bridge setup, even though forwarding 
is disabled?

Thanks