Re: Problem with new --physdev-out style

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mi, 24 Okt 2007, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote:
> As Patrick said, that condition may change over time. I like to have all my 
> ruleset loaded before the network is configured, even before some interfaces 
> exist. Your proposed change would prevent it. Besides, my opinion is that it 
> is not the job of iptables to do such checks.

Agreed.

>
>> If yes, accept the rule, because then it is
>> allowed to use it!!!  (Which is the case all the thousands of rules in
>> my firewalls except the 5 that I sent to this list :-().
>> If no, display a message like this:
>> "physdev match: using --physdev-out in the FORWARD chains is only allowed 
>> if all physical interfaces are members of the same bridge."
>
> This is wrong and inacurate. Using --physdev-out in the FORWARD and 
> POSTROUTING chains is supported for *bridged* traffic only, period. All 
> physical interfaces being members of the same bridge is not a sufficient 
> condition to make sure that only bridged traffic will be matched. Traffic 
> can still be routed from a bridge to itself.

Yes, it is inacurate.
But I think one needs a better explenation. I'm a power-user but still a
user, not a developer. Users think in different terms and speak another
language. 
Maybe an advice like "look for the option "--physdev-is-bridged" - it
may help you" or so would be good.

-- 
  Volker Sauer  *  Poststrasse 1/601   *   64293 Darmstadt  *   Germany
  E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de
  PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0
  http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0 

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux