It sounds like you are running bridging with the netfilter hooks. See the section at the bottom of the page on bridging + firewalling (really netfilter hooks): http://bridge.sourceforge.net/download.html And of course, the newest patches here: http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html Are you running a kernel with support for bridge+nf (as it is known)? -Martin : If I create the following setup: : : : : 66.8.28.52/29 66.8.28.51/29 : +------+ +------+ : | PC A |------+ +---------| PC B | : +------+ | | +------+ : | | : eth1| | eth0 : +-----+ : | qos | (br0 = 66.8.28.49/29) : +-----+ : : PC A is connected to qos via crossover cable and PC B and qos is plugged : into same switch. So even though everything is on the same network, traffic : has to go through qos when PC A talks to PC B. : : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT, : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle : tables - i.e. netfilter don't see any traffic flowing through the machine. : : Why is this? How do I match this traffic using netfilter? I can't use : ebtables because I have to match traffic in the mangle table if I want to : use it in conjunction with tc. : : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
