* iptables: Distinguishing packets from bridge-nf-call-iptables
@ 2014-02-05 11:24 Alex Bligh
2014-02-05 11:53 ` Mart Frauenlob
0 siblings, 1 reply; 3+ messages in thread
From: Alex Bligh @ 2014-02-05 11:24 UTC (permalink / raw)
To: netfilter list; +Cc: Alex Bligh
I am trying to run two pieces of software X and Y on a linux box.
X assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. I am not able to modify this.
Y assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 0. This is my software and I can modify it.
I want to adapt my rules for Y so that it copes with /proc/sys/net/bridge/bridge-nf-call-iptables=1 by ignoring (in the iptables rule) any traffic which is purely bridged, and simply doing the ebtables rules on these packets.
In the iptables rules, how do I differentiate ip forwarded traffic from bridged traffic? The bridge interfaces may or may not carry IP addresses.
--
Alex Bligh
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables: Distinguishing packets from bridge-nf-call-iptables
2014-02-05 11:24 iptables: Distinguishing packets from bridge-nf-call-iptables Alex Bligh
@ 2014-02-05 11:53 ` Mart Frauenlob
2014-02-06 0:58 ` Alex Bligh
0 siblings, 1 reply; 3+ messages in thread
From: Mart Frauenlob @ 2014-02-05 11:53 UTC (permalink / raw)
To: Alex Bligh; +Cc: netfilter list
On 05.02.2014 12:24, Alex Bligh wrote:
> I am trying to run two pieces of software X and Y on a linux box.
>
> X assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. I am not able to modify this.
>
> Y assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 0. This is my software and I can modify it.
>
> I want to adapt my rules for Y so that it copes with /proc/sys/net/bridge/bridge-nf-call-iptables=1 by ignoring (in the iptables rule) any traffic which is purely bridged, and simply doing the ebtables rules on these packets.
>
> In the iptables rules, how do I differentiate ip forwarded traffic from bridged traffic? The bridge interfaces may or may not carry IP addresses.
>
-m physdev ... ?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables: Distinguishing packets from bridge-nf-call-iptables
2014-02-05 11:53 ` Mart Frauenlob
@ 2014-02-06 0:58 ` Alex Bligh
0 siblings, 0 replies; 3+ messages in thread
From: Alex Bligh @ 2014-02-06 0:58 UTC (permalink / raw)
To: mart.frauenlob; +Cc: Alex Bligh, netfilter list
On 5 Feb 2014, at 11:53, Mart Frauenlob wrote:
> On 05.02.2014 12:24, Alex Bligh wrote:
>> I am trying to run two pieces of software X and Y on a linux box.
>>
>> X assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. I am not able to modify this.
>>
>> Y assumes /proc/sys/net/bridge/bridge-nf-call-iptables is set to 0. This is my software and I can modify it.
>>
>> I want to adapt my rules for Y so that it copes with /proc/sys/net/bridge/bridge-nf-call-iptables=1 by ignoring (in the iptables rule) any traffic which is purely bridged, and simply doing the ebtables rules on these packets.
>>
>> In the iptables rules, how do I differentiate ip forwarded traffic from bridged traffic? The bridge interfaces may or may not carry IP addresses.
>>
>
> -m physdev ... ?
Ah "-m physdev --physdev-is-bridged" - thanks
If I want to return to ebtables checking etc. (i.e. do nothing) I take it -j ACCEPT
will do this (i.e. ACCEPT does not mean 'override ebtables rejection')?
--
Alex Bligh
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-02-06 0:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-05 11:24 iptables: Distinguishing packets from bridge-nf-call-iptables Alex Bligh
2014-02-05 11:53 ` Mart Frauenlob
2014-02-06 0:58 ` Alex Bligh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox