Re: Filtering on bridges

[Vigneswaran R <vignesh@xxxxxxxxxxx>]

On Friday 23 December 2011 03:35 AM, Jan Engelhardt wrote:
> On Thursday 2011-12-22 18:36, Steve Hill wrote:
>
> > On 22/12/11 16:28, Jan Engelhardt wrote:
> >
> > > > So at the moment, the only way I can think of doing the filtering
> > > > is to allow the packet to run through *all* the iptables rules
> > > > without matching the physical output NIC and set one bit of the
> > > > fwmark for each physical interface I would let the packet egress.
> > > > Then in ebtables (where we know the physical interface) filter the
> > > > packets by looking at the fwmark bit that I've used to indicate
> > > > that interface. This method is pretty unscalable (fwmark is 32
> > > > bits)
> > >
> > > As for filtering, which I had gathered was what you wanted, you
> > > could set the fwmark to indicate drop-or-not-drop (rather than a
> > > bit for each interface).
> >
> > Nope, can't do that - the iptables rules aren't going to know
> > whether the packet needs to be dropped or not since it doesn't know
> > which physical NIC it will egress

Sorry for interrupting your discussion. I am following this thread from 
the beginning. However, I couldn't get exactly how your setup looks 
like. If possible, could you please give a simple (ascii) pictorial 
representation of your setup. This may help more people (normal iptable 
users like me) to understand the discussion better. Thank you.

Regards,
Vignesh


> What I mean is that with the mark, you record whether this is a
> potential candidate for dropping. E.g. if
>
>    tcp 22 eth0 ->  drop, tcp 22 eth1 ->  accept
>
> you could
>
>    -A OUTPUT -o br0 -p tcp --dport 22 -j MARK --set-mark [ssh-candidate-bit]
>    ebtables -m mark --mark ssh-candidate-bit/ssh-candidate-bit -o [eth0/eth1] -j [DROP/ACCEPT]...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html