On 06/04/2019 22:16, Florian Westphal wrote: > Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: >> On 12/03/2019 16:07, Mikhail Morfikov wrote: >>> There's a nice photo depicting the packet flow through the linux firewall[1]. >>> Looking at it I have two questions concerning the netdev table: >>> >>> 1. Where exactly is the netdev table located? Right after "ingress (qdisc)"? > > Yes. > >>> 2. Let's pretend we have multiple network interfaces in a single linux machine, >>> name it eth0 and eth1. These interfaces are bridged/bonded, and you have >>> another interface -- bond0. Which interfaces should be used when you create >>> the netdev table? Should it be one for eth0 and one for eth1, or just one >>> for bond0? Which one is better and why? > > One for bond0, I don't think it makes sense to try to filter individual > inerfaces of a bond. > > For bridge, it depends. > If you e.g. only have one bridge port that needs filtering, then you > can avoid the filtering overhead for the other interfaces by only > attaching to the one por that needs those rules. > Thanks for the answer.
Attachment:
signature.asc
Description: OpenPGP digital signature
