Linus Lüssing <linus.luessing@xxxxxxxxx> wrote: > I'm wondering whether I'm currently overlooking a simple solution > for the following: > > When setting bridge-nf-call-iptables = 1, is there a simple way to > check within one iptables rule whether it matched from a bridge > netfilter hook or from an IP netfilter hook? What is the use case? I would try to not use nf-call-iptables if possible. If its a bridge netfiler hook, its only visible in ebtables. If its a "native" IP netfilter hook, the skb has no bridge netfilter extension, --physdev-is-in/out will never match. > "--physdev-is-bridged" seemingly is not quite what I'm looking > for, as it will only match after a bridging decision, in the > FORWARD or POSTROUTING chains. Yes, for some reason it was tied to output interface.
