Re: ebtables ACCEPT policy vs ACCEPT target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2010-12-29 19:48, Robert Pipca wrote:

>Hi Mr. Engelhardt,
>
>2010/12/17 Jan Engelhardt <jengelh@xxxxxxxxxx>:
>>>ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst
>>>200.152.32.0/24 -j redirect --redirect-target ACCEPT
>>>ebtables -t broute -A BROUTING -i eth2 -p ipv4 --ip-src
>>>200.152.32.0/24 -j redirect --redirect-target ACCEPT
>>
>> Odd combination of redirect with BROUTING. I am surprised ebtables
>> even allows the use of "redirect" outside its nat table.
>
>It's a recommendation from the squid guys:
>
>http://wiki.squid-cache.org/Features/Tproxy4#ebtables_on_a_Bridging_device

It is not overly wrong, just I did not expect to see it. Then again, 
ebtables has starkly diverged from iptables.


>>>ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
>>>--ip-dport 80 Â-j redirect --redirect-target DROP
>>>ebtables -t broute -A BROUTING -i eth2 -p ipv4 --ip-proto tcp
>>>--ip-sport 80 Â-j redirect --redirect-target DROP
>>
>
>Do you have any other suggestions on how to do something like this:
>"Bridge all the traffic. Route tcp/80....BUT if it's from this
>network, then bridge it".

ebtables -t broute (...condition for "this network"...) -j ACCEPT
ebtables -t broute -p tcp --dport 80 -j DROP
ebtables -t broute -j ACCEPT

That wouold be a simple translation of your sentence.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux