On Wednesday 2011-12-21 11:16, Steve Hill wrote: >For bridged traffic (i.e. traffic that is coming in through one physical NIC, >traversing a bridge and being sent out of another one without being routed), >physdev still works as expected. > >However, for traffic that has gone through the machine's own IP stack (either >by being routed or by being generated locally), --physdev-out is no longer >allowed. At the time the iptables rules are being executed, the only thing you >know is the logical bridge interface it is being routed to rather than the >physical NIC it will eventually be sent from. Is there a recommended method of >filtering this traffic based on the physical NIC it is being sent out of, now >that the deferred rule functionality has been removed? ebtables doesn't really >seem to be an option since it is nowhere near as powerful as iptables when it >comes to IP filtering. Mark the packets leaving on brX with iptables, then use ebtables to check for the physical interface plus the mark. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
