Filtering on bridges
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
I have previously used iptables to filter traffic on bridged interfaces using the physdev module. However, recently it seems there was a change in the semantics of physdev:
For bridged traffic (i.e. traffic that is coming in through one physical NIC, traversing a bridge and being sent out of another one without being routed), physdev still works as expected.
However, for traffic that has gone through the machine's own IP stack (either by being routed or by being generated locally), --physdev-out is no longer allowed. At the time the iptables rules are being executed, the only thing you know is the logical bridge interface it is being routed to rather than the physical NIC it will eventually be sent from. Is there a recommended method of filtering this traffic based on the physical NIC it is being sent out of, now that the deferred rule functionality has been removed? ebtables doesn't really seem to be an option since it is nowhere near as powerful as iptables when it comes to IP filtering.
Background:I'm running virtualised servers which are bridged to the physical network (this makes VM migration between physical hosts possible - doing this using a routed infrastructure would be messy since the routers themselves would need to be adjusted during VM migration). I run iptables/ip6tables on the host machine in order to firewall the VMs and also for statistics reporting - these iptables rules reference each VM's network interface. I would like to be able to filter routed traffic in the same way as the bridged traffic, but this involves knowing which VM it is destined for (and hence which NIC it will be sent to).
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html