On Saturday 2008-07-19 18:05, Michele Petrazzo - Unipex srl wrote: > Jan Engelhardt wrote: >> > Ok. Thanks for the simple, but complete explain. But where to say "go out >> > through the right one?" >> >> The fact is, you do not know in advance which is the right one. > > So there is no solution with the "marking into PREROUTING" technique? > Into my environ a packet that come from an interface MUST go out through > that one. That will work easily, because the client contacts you first. It is when the router has to decide a path for the first time. But since you will be using a bridge device anyway, there is just one path (namely, br0). >> > > And depending on the situation you might also need to enforce routing at >> > > the bridge border so as to not open security holes. >> > Have you some more words about this? Where can I found problems? How to >> > modify routing? >> >> ebtables -t broute -P BROUTING DROP >> >> which will force all packets being routed. > > I'll try it soon. > But in this case, why the kernel doesn't "lost" the package that ebtables > wants to DROP? Or the kernel starts to see which is the first hole where > the packet can go inside and leave it there? > Seem a very contorted thinking to me... Ah just forget this one. - create bridge device - do as usual -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
