I have iptables running on a bridge. The bridge has three interfaces I am trying to understand what happens with flooded packets. Below are my conclusions. I would appreciate comments and corrections. If someone has a relevant link, that's even better. - Flooding is done by the bridge code, and therefore flooded packets are seen twice in the FORWARD chain - Conntrack counters are updated in PRE_ROUTING, and therefore - The connection counters are correct (not duplicate) - Counters are also updated for packets which are eventually dropped - Conntrack confirms connections in POST_ROUTING, and therefore - Dropped connections are not confirmed - Accepted connections are confirmed twice, and that's harmless ? Thanks Gilad -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
