<bill-the-cat-sound> Ack! I meant to say: "It sounds like you are running bridging without the netfilter hooks." But, of course, you understood what I meant. : No, I'm not running with ebtables+nf support. From what I understand : (and please correct me if I'm wrong), patching the kernel with : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, : and NAT chains which you can match traffic on. : : However, I need to match traffic in the mangles table, so the ebtables : table won't help me. In order for you to be able to use iptables *at all* with the bridging code, you need the bridge+nf patch(es). : (a) If I add the bridge-nf + ebtables patches, will I be able to match : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? Good question. I haven't used the OUTPUT and POSTROUTING chains, but I have used the FORWARD chain on a bridge+nf installation. I think the link you forwarded to this list earlier today [1] shows the sequence of netfilter hook traversal, but assumes that you are running bridge+nf. : (b) Why does netfilter not currently see the traffic even though a tcpdump : on eth0/eth1 shows all the traffic passing through the interfaces? See above.... -Martin [1] http://www.sparkle-cc.co.uk/firewall/firewall.html -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
