Re: Filtering on bridges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2011-12-22 18:36, Steve Hill wrote:

> On 22/12/11 16:28, Jan Engelhardt wrote:
>
>>>So at the moment, the only way I can think of doing the filtering
>>>is to allow the packet to run through *all* the iptables rules
>>>without matching the physical output NIC and set one bit of the
>>>fwmark for each physical interface I would let the packet egress.
>>>Then in ebtables (where we know the physical interface) filter the
>>>packets by looking at the fwmark bit that I've used to indicate
>>>that interface. This method is pretty unscalable (fwmark is 32
>>>bits)
>>
>>As for filtering, which I had gathered was what you wanted, you
>>could set the fwmark to indicate drop-or-not-drop (rather than a
>>bit for each interface).
>
>Nope, can't do that - the iptables rules aren't going to know
>whether the packet needs to be dropped or not since it doesn't know
>which physical NIC it will egress

What I mean is that with the mark, you record whether this is a
potential candidate for dropping. E.g. if

  tcp 22 eth0 -> drop, tcp 22 eth1 -> accept

you could

  -A OUTPUT -o br0 -p tcp --dport 22 -j MARK --set-mark [ssh-candidate-bit]
  ebtables -m mark --mark ssh-candidate-bit/ssh-candidate-bit -o [eth0/eth1] -j [DROP/ACCEPT]...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux