On Sat, 4 Sep 2004 08:21:21 -0700 (PDT), Sorin Capra wrote
> Thank you for the quick reply
>
> It works now , but I still have one question : why didn't it work before
(in FORWARD) ? It should have worked , shouldn't it ?
1) Have you tried to do:
iptables -t filter -L -nv
and check if counters are non-zero for rules with mac source matches?
2) In kernel source I have found something like this
(net/ipv4/netfilter/ipt_mac.c file):
static int
ipt_mac_checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
/* FORWARD isn't always valid, but it's nice to be able to do --RR */
if (hook_mask
& ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN)
| (1 << NF_IP_FORWARD))) {
printk("ipt_mac: only valid for PRE_ROUTING, LOCAL_IN or
FORWARD.\n");
return 0;
}
if (matchsize != IPT_ALIGN(sizeof(struct ipt_mac_info)))
return 0;
return 1;
}
Maybe during traversing filter/FORWARD hook mac field in skb structure is not
valid, because packet is beeing forwarded between two ifaces.
> Bests,
> Sorin
Bests,
Tomasz Chilinski
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
