Hi guys I run into the same problem like some other people (Like Philip and Greg as far as google tells me) here on the list. I try to warm-up the discussion, since I think currently it's no good solution. Since --physdev-out does not work anymore for connections coming from outside the bridge, it's not possible anymore to *simply* create some sort of filter rules. I understand that you can solve the problem by creating rules by ip addresses instead of physdev-out devices and then allow by ebtables only that ip addresses on that devices of which you know they are behind. Or, you mark and then filter with ebtables by the nfmark. That's the solution I chose, since I do not always know which ip pools I have behind that interface. It would be ways easier to simply filter by physdev-out. But, this nfmark story turned out to be really a complex, complicated nightmare, where you end debugging your rules with a pocket calculator. Needless to say that it is error-prone at its best. And some cases you even can't map with. The necessity to filter physdev-out interfaces happens mostly if you need bridged vpn endpoints, like Philip had. You bridge together a vpn endpoint with a local bridge, due to protocols where this is necessary, and at the same time you want to restrict the traffic coming from another device (which is not within the bridge) which needs to go into the vpn. I understand that this change was necessary and it's saner now and that it solved other problems. But I think that old functionality is somehow saner to use. The possible solutions I am aware of IMHO are just workarounds, which sooner or later bring people in trouble. Now I am not that familiar with that code and it takes me surely a while to understand if there could be a sane solution. So I would like to ask if you guys know of a better solution or can help me going in the right direction. thanks peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: peter@xxxxxxxxxx
begin:vcard fn:Peter Warasin n:;Peter Warasin org:Endian GmbH/Srl adr:;;Pillhof 47;Frangart/Frangarto;BZ;I-39010;Italien/Italia email;internet:peter@xxxxxxxxxx tel;work:+39 0471 631763 tel;fax:+39 0471 631764 x-mozilla-html:FALSE url:http://www.endian.com version:2.1 end:vcard
