On 24/08/10 19:07, Pascal Hambourg wrote:
Jonathan Tripathy a écrit :
On 24/08/10 15:44, Pascal Hambourg wrote:
Jan's diagram pointed to by Karel Rericha explains paths in the IP layer
and the link layer. However bridge-netfilter (the capability to send
bridged packets through {ip,arp,ipv6}tables chains whereas they are not
processed by the IP stack) makes things a bit more complicated.
I think what I am getting confused with is how am I able to use the
FORWARD chain in iptables with my bridge setup, even though forwarding
is disabled?
Because of netfilter-bridge which allows to pass bridged packets through
iptables chains. See the "link layer" part of the diagram, where
bridging takes place. This behaviour can be controlled by sysctls in
/proc/sys/net/bridge/ (see Documentation/networking/ip-sysctl.txt).
Ah I see. Just some special magic in netfilter-bridge.
So bottom line: no non-bridged IP traffic can get into the FORWARD chain
without IP forwarding being enabled? And also, bridged traffic can not
cross bridges unless forwarding is enabled (hence Linux is being used as
a router itself), or there is a router of some sort in the middle?
Cheers
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
