Way cool. Thanks for the note. It works again. On Thursday 06 November 2003 14:52, Cedric Blancher wrote: > Le jeu 06/11/2003 à 22:07, Tim Gardner a écrit : > > I have a well behaved bridge firewall using 2.4.22 with the relevant > > P-O-M patches applied. In testing 2.6.0-test9 I have determined that > > interface specification on a rule no longer works. For example, the first > > rule in the set that should catch 99% of all inbound TCP packets is > > > > iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j > > ACCEPT > > > > If the interface is specifed, then this rule does not accrue any packets. > > Is this an expected change in behavior from 2.4.22? > > When using a bridged firewall with 2.6 kernels, inbound interface is > bridge interface, i.e. br0, and it is outbound one as well... > That's why you have physdev match that allows one to match the > _physical_ interface, among all ones belonging to the bridge, that > actually received the packet. > > > cbr@elendil:~$ iptables -m physdev --help > iptables v1.2.8 > [...] > physdev v1.2.8 options: > --physdev-in [!] input name[+] bridge port name ([+] for wildcard) > --physdev-out [!] output name[+] bridge port name ([+] for wildcard) > > > So, in your case : > > iptables -A FORWARD -i br0 -m physdev --physdev-in $EXTIF \ > -m state --state ESTABLISHED,RELATED -j ACCEPT -- Tim Gardner - timg@xxxxxxx 406-443-5357 TriplePoint, Inc. - http://www.tpi.com PGP: http://www.tpi.com/PGP/Tim.txt
