On Thursday 2011-12-22 18:36, Steve Hill wrote: > On 22/12/11 16:28, Jan Engelhardt wrote: > >>>So at the moment, the only way I can think of doing the filtering >>>is to allow the packet to run through *all* the iptables rules >>>without matching the physical output NIC and set one bit of the >>>fwmark for each physical interface I would let the packet egress. >>>Then in ebtables (where we know the physical interface) filter the >>>packets by looking at the fwmark bit that I've used to indicate >>>that interface. This method is pretty unscalable (fwmark is 32 >>>bits) >> >>As for filtering, which I had gathered was what you wanted, you >>could set the fwmark to indicate drop-or-not-drop (rather than a >>bit for each interface). > >Nope, can't do that - the iptables rules aren't going to know >whether the packet needs to be dropped or not since it doesn't know >which physical NIC it will egress What I mean is that with the mark, you record whether this is a potential candidate for dropping. E.g. if tcp 22 eth0 -> drop, tcp 22 eth1 -> accept you could -A OUTPUT -o br0 -p tcp --dport 22 -j MARK --set-mark [ssh-candidate-bit] ebtables -m mark --mark ssh-candidate-bit/ssh-candidate-bit -o [eth0/eth1] -j [DROP/ACCEPT]... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
