Problem with new --physdev-out style

Volker Sauer <volker@xxxxxxxxxxxxxxx> · Wed, 24 Oct 2007 09:18:54 +0200

Hi,

with recent kernels, I have this problem:

kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore.

What does "non-bridged" in this context mean?? If it means rules (or
traffic) that goes over the INPUT our OUTPUT chain, I do not understand,
why my rule set causes this message to appers a thousand times.

Here's all my rules with --physdev-out:

arthur: ~ # grep physdev-out /etc/init.d/firewall
$IPTABLES -A FORWARD -o $BR_INT -m physdev --physdev-out $IF_INT -i $IF_EXT -d $localnet -s $Any -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_INT --physdev-out $IF_DMZ -s $ZAPHOD -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_INT --physdev-out $IF_DMZ -s $localnet -p tcp -d $MARVIN --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_DMZ --physdev-out $IF_INT -d $ZAPHOD -p tcp --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_DMZ --physdev-out $IF_INT -d $ZAPHOD -p udp --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_DMZ --physdev-out $IF_INT -d $ZAPHOD -p tcp --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_DMZ --physdev-out $IF_INT -d $ZAPHOD -p udp --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_INT -m physdev --physdev-in $IF_INT --physdev-out $IF_DMZ -s $ZAPHOD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $BR_INT -m physdev --physdev-out $IF_INT -i $BR_GUEST -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $BR_GUEST -o $BR_INT -m physdev --physdev-out $IF_DMZ -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -i $BR_GUEST -o $BR_INT -m physdev --physdev-out $IF_INT -p tcp --dport ssh -j ACCEPT
$IPTABLES -A FORWARD -i $BR_GUEST -o $BR_INT -m physdev --physdev-out $IF_INT -p tcp --dport 30022 -j ACCEPT
$IPTABLES -A FORWARD -i $IF_EXT -o $BR_INT -m physdev --physdev-out $IF_DMZ -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IF_EXT -o $BR_INT -m physdev --physdev-out $IF_DMZ -s $i -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

Where: 

BR_INT="br-intern"
BR_GUEST="br-guest"
IF_EXT="eth0"
IF_INT="eth1"
IF_DMZ="vlan3"

You see, I use --physdev-out only in the FORWARD with bridged traffic, 
because the Interfaces given with -i or -i in these rules are always 
bridges (br-intern or br-guest).

Why do I get thousands of these error messages?

-- 
  Volker Sauer  *  Poststrasse 1/601   *   64293 Darmstadt  *   Germany
  E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de
  PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0
  http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0 
Attachment:
signature.asc

Description: Digital signature