>>> and POSTROUTING hook until the outgoing bridge port was determined
by
>>> the bridge code. This "feature" was removed because it broke all
>>> kinds of things, now the order matches the layering and IPv4 hooks
>>> are always processed entirely before bridging.
>>
>> Now the order is .. non-consistent.
>> On a pure bridge forward (-i br -o br), as I have determined,
>> ebtables-nat-POSTROUTING comes _before_ the IPv4 hooks.
>
> Thats indeed inconsistent. I don't believe this has changed however,
> the IPv4 POSTROUTING hook was always called from the bridge
POSTROUTING
> hook (with similar priorities).
This woke me up in the middle of the night - I also mark packets in
ebtables BROUTE based on the incoming interface and then test all over
the place in iptables based on that mark. One of the most important is
a test for -s {private IP Address} coming in from the Internet. But
there are lots of other tests based on source IP and incoming interface.
I really really really need to know the incoming interface.
This still seems to work - ebtables BROUTE still seems to come before
iptables NAT PREROUTING and my ebtables BROUTE marks all show up in
iptables. Am I on solid ground for the future if I keep this up?
Thanks
- Greg
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
