Jonathan Tripathy a écrit : >>>> Sorry, I used a bad choice of words - Would ebtables stop the frame reaching >>>> the remote host (VM in my case) is what I meant to say:) >>> No. The two bridges are not connected to another in the first place, >>> so the only way for a packet to come in on br0 and go out on br1 is >>> routing, for which iptables is needed to filter. > > But even without iptables, traffic coudn't cross without a router in the > middle, right? Remember that Linux itself can act as a router. > BTW, my post above wasn't really related to having 2 bridges, but more > of the "dumb hub" situation. I think Jan misunderstood your question which was > Incidentally, would using ebtables rules prevent the bridge from > going into "dumb hub" mode? Like let's say I said that "all traffic > leaving this interface must have this destination MAC address". IIUC your question, yes, ebtables could do that. But beware when doing this, you could easily break very useful things such as ARP resolution (which uses broadcast) or IPv6 neighbour discovery (which uses multicast). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
