On Tue, 5 Dec 2006 13:37:29 +0100 Tino Keitel <tino.keitel at innominate.com> wrote: > Hi folks, > > in 2.4 kernels, device matching for bridged packets was done with > iptables -i/-o. Since 2.6, I was used to use -m physdev here. > > In 2.6.18, This seems to be more complicated. At least the filter/INPUT > chain now doesn't match with -m physdev --physdev-in anymore, but > FORWARD and OUTPUT does. I also read the note that -m phydev is now > deprecated for non-bridged traffic. > > Does this mean that > > 1. I have to use the physdev match for bridged traffic, e.g. FORWARD, > POSTROUTING, PREROUTING > > 2. I have to use iptables -i in the INPUT chain and on PREROUTING > > 3. I have to use the physdev match in the OUTPUT chain > > 4. I have to distinguish between bridged and locally processed or > routed traffic in PREROUTING, since bridged traffic needs -m > physdev, whereas the other traffic need -i > > 5. until now, outgoing traffic is always matched with -m physdev, but > this will change in the future. If the change is made, I'll have to > distinguish in the same way as for incoming traffic > > Regards, > Tino > _______________________________________________ > Bridge mailing list > Bridge at lists.osdl.org > https://lists.osdl.org/mailman/listinfo/bridge > Post netfilter questions to netfilter at lists.netfilter.org -- Stephen Hemminger <shemminger at osdl.org>
