I am filtering packets on a bridge. A simple bridge with no routing. Only IP and ARP packets. I want to filter on a combination of destination MAC and the connection's state. ebtables, of course, knows nothing of connection state. iptables does not match by destination MAC. Reading a bit I understand that the option doesn't exist because it doesn't always know it. But in my case it does. How can I filter on this combination then ? The only option I currently see is a combination - ebtables will filter on the FORWARD chain based on dest MAC, and mark the packets. - iptables will filter on the FORWARD chain based on the mark and the connection state. Ugly, but does the job. Is there a better way ? Would it make sense to extend the iptables code to allow this ? - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
