On Sun, 21 Oct 2007 00:21:57 -0400 s24067@xxxxxx wrote: > Hello folks, I'm hoping someone can help me here. I'll try to describe the problem in detail. > > I'm attempting to set up a bridging firewall using libipq. I'm running on Ubuntu Server 7.04, out of the box kernel (2.6.20) > My bridge is set up with the following commands: > -- > brctl addbr br0 > brctl stp br0 off > brctl addif br0 eth1 > brctl addif br0 eth2 > ifconfig eth1 down > ifconfig eth2 down > ifconfig eth1 0.0.0.0 up > ifconfig eth2 0.0.0.0 up > ifconfig br0 0.0.0.0 up > -- > > IP queue is set up with the following: > -- > iptables -A FORWARD -j QUEUE > modprobe ip_queue > -- > > > The bridge works fine. Traffic is sent back and forth. My libipq app can see traffic and stop it. However, one thing I would like to be able to find out in user space is which interface a packet arrived on (ie/ which direction it's going). As far as IPQ is concerned, all packets are arriving and leaving on br0. > After reading a bit more about netfilter, iptables and the FIREWALL document distributed with brctl, I figured my best bet would be do something like this: > iptables -A INPUT -i eth1 -j MARK --set-mark 1 > iptables -A INPUT -i eth2 -j MARK --set-mark 2 > > This way I could just check the mark value when the packet got sent to QUEUE (and up to user space) from the FORWARD chain. However, this doesn't work. From everything I can tell, packets traversing the bridge do not even go through the INPUT chain, as I can put in this rule: > iptables -A INPUT -j DROP > > yet traffic still flows through fine (as long as my libipq app is running). > > > Does anyone here have any ideas? I would really appreciate any suggestions. > > Cheers, > David Vessey > > Ask on netfilter-devel mailing list and Patrick McHardy. -- Stephen Hemminger <shemminger@xxxxxxxxxxxxxxxxxxxx> _______________________________________________ Bridge mailing list Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/bridge
