On Thursday 2009-03-12 07:04, Philip Craig wrote: >Jan Engelhardt wrote: >> FYI: This is talking about "pure"-bridged traffic, i.e. traffic that will >> go from one bridge port to another without touching the "routing decision" >> box in [1]. In iptables terminology, that's >> >> FORWARD -i br0 -o br0 >> >> style traffic. Since the RST packet REJECT creates goes through >> OUTPUT, so I would assume no forwarding would take place, and the >> ip_forward flag not be relevant. The BRNF_BRIDGED clause therefore >> seems wrong because it will always be a non-local saddr. > >I can understand this better now based on your explanation :-) >But I think this clause is okay. > >The addr_type == RTN_LOCAL path works for pure bridged traffic >because ip_route_me_harder() avoids routing using saddr if >saddr is foreign. > >We can't specify addr_type != RTN_LOCAL for the pure bridging case, >because that tries to route the RST as though we received it >from the network, which will fail if ip forwarding is disabled. > So what about the OP's observation that nskb->nf_bridge == NULL? Just because the incoming packet came in over a bridge does not mean the RST is going over one too, and that being the deciding factor for RTN_LOCAL or not, is it? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
