On 22/12/11 16:28, Jan Engelhardt wrote:
So at the moment, the only way I can think of doing the filtering is to allow
the packet to run through *all* the iptables rules without matching the
physical output NIC and set one bit of the fwmark for each physical interface I
would let the packet egress. Then in ebtables (where we know the physical
interface) filter the packets by looking at the fwmark bit that I've used to
indicate that interface. This method is pretty unscalable (fwmark is 32
bits)
As for filtering, which I had gathered was what you wanted, you could
set the fwmark to indicate drop-or-not-drop (rather than a bit for each
interface).
Nope, can't do that - the iptables rules aren't going to know whether
the packet needs to be dropped or not since it doesn't know which
physical NIC it will egress - each NIC has its own (different) set of
filtering rules, so without knowing the NIC, iptables won't know which
set of filtering rules to apply and therefore whether the packet is to
be dropped or not.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@xxxxxxxxxxxx
Email: steve@xxxxxxxxxxxx
Phone: sip:steve@xxxxxxxxxxxx
Sales / enquiries contacts:
Email: sales@xxxxxxxxxxxx
Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx
Support contacts:
Email: support@xxxxxxxxxxxx
Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
