Jan Engelhardt wrote: > FYI: This is talking about "pure"-bridged traffic, i.e. traffic that will > go from one bridge port to another without touching the "routing decision" > box in [1]. In iptables terminology, that's > > FORWARD -i br0 -o br0 > > style traffic. Since the RST packet REJECT creates goes through > OUTPUT, so I would assume no forwarding would take place, and the > ip_forward flag not be relevant. The BRNF_BRIDGED clause therefore > seems wrong because it will always be a non-local saddr. I can understand this better now based on your explanation :-) But I think this clause is okay. The addr_type == RTN_LOCAL path works for pure bridged traffic because ip_route_me_harder() avoids routing using saddr if saddr is foreign. We can't specify addr_type != RTN_LOCAL for the pure bridging case, because that tries to route the RST as though we received it from the network, which will fail if ip forwarding is disabled. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
