Hello, Jamie Cockburn a écrit : > > Given a setup with eth0 and eth1 in a bridge br0 and a third interface eth2. > > In this scenario, lets say I want TCP port 80 traffic to be dropped if it is going to the network attached to eth0, but allow it to eth1. > > I am therefore trying to reliably match packets that go out over the specific interface eth0. > > If I add the following iptables rule in the filter table: > > -A FORWARD -o br0 --physdev-out eth0 -j LOG > > Given a packet that originates from eth1 (the other half of the bridge), then the rule matches just fine, logging: > > ... IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 ... > > However if the packet origniates from eth2, then the rule no longer matches. Because the packet is not bridged, as eth2 is not part of the bridge. So it won't follow the FORWARD bridging path but the FORWARD IP routing path. See the packet flow diagram in <http://en.wikipedia.org/wiki/Netfilter>. According to it, the packet will enter the bridging OUTPUT path only after the last iptables chain was traversed. I'm afraid you only option to deal with that case is to use ebtables filtering in the OUTPUT chain. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
