On Wednesday 20 August 2003 15:14, S Mohan wrote: > Doh. So dumb of me. I have documented this but this skipped my attention. > Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed. > The packet does not traverse any other traditional netfilter table. This is > the reason for the existence of ebtables. ebtables provides all these > tables within its realm. Just for the record, as I'm the maintainer of ebtables and the bridge-nf code I can safely say that these statements above are not correct. ebtables is there to filter on non-IP stuff, more specifically the Ethernet header. In 2.6 or in a patched (with the bridge-nf patch) 2.4 kernel, the PREROUTING/FORWARD/POSTROUTING iptables chains see bridged traffic. This is therefore different than the behaviour with the old patch vs 2.2 for ipchains. Anyone interested can go to ebtables.sourceforge.net, the working of iptables on a bridge is explained there in detail. Please update your documentation. cheers, Bart
