Hi Martin! I just applied the bridge-nf and ebtables patches and tried it and I can match packets in the mangle table as usual (also have to use FORWARD for packets passing through the machine). > <bill-the-cat-sound> Ack! I meant to say: > > "It sounds like you are running bridging without the netfilter hooks." > > But, of course, you understood what I meant. > > : No, I'm not running with ebtables+nf support. From what I understand > : (and please correct me if I'm wrong), patching the kernel with > : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, > : and NAT chains which you can match traffic on. > : > : However, I need to match traffic in the mangles table, so the ebtables > : table won't help me. > > In order for you to be able to use iptables *at all* with the bridging > code, you need the bridge+nf patch(es). > > : (a) If I add the bridge-nf + ebtables patches, will I be able to match > : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? > > Good question. I haven't used the OUTPUT and POSTROUTING chains, but I > have used the FORWARD chain on a bridge+nf installation. I think the link > you forwarded to this list earlier today [1] shows the sequence of > netfilter hook traversal, but assumes that you are running bridge+nf. > > : (b) Why does netfilter not currently see the traffic even though a tcpdump > : on eth0/eth1 shows all the traffic passing through the interfaces? > > See above.... > > -Martin > > [1] http://www.sparkle-cc.co.uk/firewall/firewall.html -- Regards Abraham It is more rational to sacrifice one life than six. -- Spock, "The Galileo Seven", stardate 2822.3 ___________________________________________________ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@xxxxxxxxxxxx
Attachment:
pgp00109.pgp
Description: PGP signature
