Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: > On 12/03/2019 16:07, Mikhail Morfikov wrote: > > There's a nice photo depicting the packet flow through the linux firewall[1]. > > Looking at it I have two questions concerning the netdev table: > > > > 1. Where exactly is the netdev table located? Right after "ingress (qdisc)"? Yes. > > 2. Let's pretend we have multiple network interfaces in a single linux machine, > > name it eth0 and eth1. These interfaces are bridged/bonded, and you have > > another interface -- bond0. Which interfaces should be used when you create > > the netdev table? Should it be one for eth0 and one for eth1, or just one > > for bond0? Which one is better and why? One for bond0, I don't think it makes sense to try to filter individual inerfaces of a bond. For bridge, it depends. If you e.g. only have one bridge port that needs filtering, then you can avoid the filtering overhead for the other interfaces by only attaching to the one por that needs those rules.
