On Mi, 24 Okt 2007, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > As Patrick said, that condition may change over time. I like to have all my > ruleset loaded before the network is configured, even before some interfaces > exist. Your proposed change would prevent it. Besides, my opinion is that it > is not the job of iptables to do such checks. Agreed. > >> If yes, accept the rule, because then it is >> allowed to use it!!! (Which is the case all the thousands of rules in >> my firewalls except the 5 that I sent to this list :-(). >> If no, display a message like this: >> "physdev match: using --physdev-out in the FORWARD chains is only allowed >> if all physical interfaces are members of the same bridge." > > This is wrong and inacurate. Using --physdev-out in the FORWARD and > POSTROUTING chains is supported for *bridged* traffic only, period. All > physical interfaces being members of the same bridge is not a sufficient > condition to make sure that only bridged traffic will be matched. Traffic > can still be routed from a bridge to itself. Yes, it is inacurate. But I think one needs a better explenation. I'm a power-user but still a user, not a developer. Users think in different terms and speak another language. Maybe an advice like "look for the option "--physdev-is-bridged" - it may help you" or so would be good. -- Volker Sauer * Poststrasse 1/601 * 64293 Darmstadt * Germany E-Mail/Jabber: volker(at)volker-sauer.de * http://www.volker-sauer.de PGPKey-Fingerprint: DB26 11C7 B12E 0B27 3999 2E4F 7E35 4E4D 5DD5 D0E0 http://wwwkeys.de.pgp.net/pks/lookup?op=get&search=0x7E354E4D5DD5D0E0
Attachment:
signature.asc
Description: Digital signature
