Volker Sauer a écrit :
In case someone is using physdev in OUTPUT, display the message like it
is now: "using --physdev-out in the OUTPUT chains for non-bridged traffic
is not supported anymore".
Ok.
In case it is used inside FORWARD, check if all physdev interfaces are
members of the same bridge.
As Patrick said, that condition may change over time. I like to have all
my ruleset loaded before the network is configured, even before some
interfaces exist. Your proposed change would prevent it. Besides, my
opinion is that it is not the job of iptables to do such checks.
If yes, accept the rule, because then it is
allowed to use it!!! (Which is the case all the thousands of rules in
my firewalls except the 5 that I sent to this list :-().
If no, display a message like this:
"physdev match: using --physdev-out in the FORWARD chains is only
allowed if all physical interfaces are members of the same bridge."
This is wrong and inacurate. Using --physdev-out in the FORWARD and
POSTROUTING chains is supported for *bridged* traffic only, period. All
physical interfaces being members of the same bridge is not a sufficient
condition to make sure that only bridged traffic will be matched.
Traffic can still be routed from a bridge to itself.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
