Has anyone experienced a condition where rule counter increments but the target doesn't work? (I tried the DROP, TRACE target and the MARK target also without success) Any ideas where I should look next? Firewall is a bridging firewall. I can see traffic hitting a specific firewall rule for a specific host that has a drop target (counters increment), but the traffic is still making it through. I tried the TRACE target to see if I had done something wrong, but it doesn't work either. (I did insmod the logging module). No logs in /var/log/kern.log|messages|syslog etc Other rules have been to mark packet for a queue, but the queue counters don't increment even though the iptables rule does. (It use to work fine) All of this started after upgrades which forced me to add vlan subinterfaces and bridge them. (I used to just bridge the physical interfaces and ignored the VLANs and everything worked fine. After the upgrade this no longer worked, and the only fix was to add the subitenterface configs for the vlans. After fixing the bridging to work with the new kernel, iptables is not working.) The bridge has multiple interfaces/subinterfaces. eth0-eth3 all have sub interfaces ie eth0.1, eth.100, etc the bridges contain the subinterfaces only. Traffic is passing normally and vlans are working as expected through the bridge. That is to say the hosts on either side of the bridge are getting the traffic they are supposed to. I have the setting in sysctl.conf set to pass bridge traffic to iptables and also the setting for passing vlan traffic to iptables. I verified via the sysctl command. I also turned these settings off and verified that packets no longer incremented the counters on the rules Turned them back on and verified that the counters on a very specific rule (1 src IP) increment again. But I verified that I can still pass traffic through the bridge. I have verified that there are no rules ahead of the block rule, although the default for all tables is accept. Any help appreciated. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
