ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote: > since I learned that |inet| policies trumping |bridge| policies I was > wondering about the hierarchy of the other families. It is like They don't. If you accept in inet and drop in bridge then bridged packet will be dropped as its not passed up to network layer. Also, packets that arrive on a bridge will only make it to ipv4/ipv6/inet input if they are delivered to local machine rather than bridged. ipv4/ipv6/inet families are network layer, bridge family is link layer, netdev ingress is right after ingress qdisc. arp is also at network layer, but only for arp packets. An incoming packet will go through 3 types: ingress -> prerouting -> input ingress is only supported by netdev family. prerouting is supported by bridge, ipv4, ipv6 and inet family. same for input. A packet will never pass through both ipv4 and ipv6 families (or arp for that matter). A packet can pass through bridge (linklayer) and ipv4/ipv6/inet/arp (network layer) if its locally delivered, or if it is sent from local machine (in this case, it is ipv4/ipv6/inet local -> postrouting bridge output -> bridge postrouting. Also see: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
