On Friday 23 December 2011 03:35 AM, Jan Engelhardt wrote:
On Thursday 2011-12-22 18:36, Steve Hill wrote:
On 22/12/11 16:28, Jan Engelhardt wrote:
So at the moment, the only way I can think of doing the filtering
is to allow the packet to run through *all* the iptables rules
without matching the physical output NIC and set one bit of the
fwmark for each physical interface I would let the packet egress.
Then in ebtables (where we know the physical interface) filter the
packets by looking at the fwmark bit that I've used to indicate
that interface. This method is pretty unscalable (fwmark is 32
bits)
As for filtering, which I had gathered was what you wanted, you
could set the fwmark to indicate drop-or-not-drop (rather than a
bit for each interface).
Nope, can't do that - the iptables rules aren't going to know
whether the packet needs to be dropped or not since it doesn't know
which physical NIC it will egress
Sorry for interrupting your discussion. I am following this thread from
the beginning. However, I couldn't get exactly how your setup looks
like. If possible, could you please give a simple (ascii) pictorial
representation of your setup. This may help more people (normal iptable
users like me) to understand the discussion better. Thank you.
Regards,
Vignesh
What I mean is that with the mark, you record whether this is a
potential candidate for dropping. E.g. if
tcp 22 eth0 -> drop, tcp 22 eth1 -> accept
you could
-A OUTPUT -o br0 -p tcp --dport 22 -j MARK --set-mark [ssh-candidate-bit]
ebtables -m mark --mark ssh-candidate-bit/ssh-candidate-bit -o [eth0/eth1] -j [DROP/ACCEPT]...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
