Mike Williams a écrit :
The bridge catches incoming ethernet frames before the IP stack can see
them. So an ethernet frame forwarded from colo to public does not hit
the IP stack, unless it is an ethernet broadcast.
Or destined for an IP/MAC assigned to the bridge interface?
If a unicast ethernet frame is destined for the MAC address assigned to
the bridge interface, there is no reason that it is forwarded from an
interface of the bridge to another. Ethernet broadcast is an exception
because the frame is forwarded to all the other interfaces of the bridge
and to the IP stack. I guess that multicast ethernet frames have a
special processing too, but I don't know much about this subject.
That also explains the necessity for ebtables in addition to ip[6]tables.
Yes, ip[6]tables works at the the network layer (routing) and ebtables
at the link layer (bridging).
