could you tell me more?
of course , iptables use physdev option, but from ebtables call iptable's rule which uses physdev , the rule recognize physdev-in the same as physdev-out as bridge device.
if am i right?
thanks
At 2014-04-15 03:00:53,"Bart De Schuymer" <bdschuym@xxxxxxxxxx> wrote: >longguang.yue schreef op 10/04/2014 8:03: >> br_nf_forward_ip() { >> parent = bridge_parent(out); >> NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent, >> br_nf_forward_finish); >> } >> here, let us suppose pf = NFPROTO_IPV4, i think the return value of >> brnf_get_logical_dev(skb, in) equals parent ? >> its comment 'This is the 'purely bridged' case. For IP, we pass the >> packet to >> * netfilter with indev and outdev set to the bridge device' >> so when calls hooks at ipv4 level >> like iptable_filter_hook,iptable_mangle_hook, we can not distinct in and >> out devices? >> in other word, we can not use in/out dev with ebtables's ip extension. >> thanks >> > >You need to use the iptables physdev module to filter on the physical ports. > >cheers, >Bart >
