Patrick McHardy wrote: > Philip Craig wrote: >> Patrick McHardy wrote: >>>> $IPTABLES -A FORWARD -i $BR_GUEST -o $BR_INT -m physdev --physdev-out $IF_DMZ -p tcp --dport 3389 -j ACCEPT >>> Try adding "--physdev-is-bridged" to your rules. Without that the kernel >>> is not able to tell whether they apply only to bridged packets or also >>> to forwarded or locally generated ones. >> That won't work for the above rule, for example, since the packet is >> being forwarded between two different bridges, so it is not bridged. > > > I see nothing indicating that it is being forwarded. They are different bridges, BR_GUEST and BR_INT, doesn't that mean it must be forwarded? > bridge-netfilter > passes packets though the iptables hooks by default. Yes, but if the destination is a different bridge then isn't it passed up to the IP layer without going through NF_BR_FORWARD, and so BRNF_BRIDGED is never set? And more importantly, nf_bridge->physoutdev is never set until the output bridge processes it. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
