* --in-interface and --out-interface issue on bridge
@ 2005-04-21 7:41 Wang Jian
2005-04-24 16:28 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: Wang Jian @ 2005-04-21 7:41 UTC (permalink / raw)
To: netfilter-devel
Hi,
During my test, I find that --in-interface doesn't work as I expected.
web server -- (eth0--br0--eth1) -- web client
# iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 \
-j MARK --set-mark 1
doesn't set mark to 1.
I google a while and read some pages that use such a rule for bridged
firewall.
# iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
-j ACCEPT
I test this rule and fail
# iptables -t mangle -A FORWARD -i eth0 -p tcp --sport 80 \
-j MARK --set-mark 1
If I removed -i eth0 or use -i br0 instead, then the mark is set.
I looked into net/core/dev.c and net/bridge/* and didn't get clue about
this.
kernel is vanilla 2.6.11 with bridge packet filtering on.
--
lark
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: --in-interface and --out-interface issue on bridge
2005-04-21 7:41 --in-interface and --out-interface issue on bridge Wang Jian
@ 2005-04-24 16:28 ` Patrick McHardy
2005-04-24 17:05 ` Wang Jian
0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2005-04-24 16:28 UTC (permalink / raw)
To: Wang Jian; +Cc: netfilter-devel
Wang Jian wrote:
> Hi,
>
> During my test, I find that --in-interface doesn't work as I expected.
>
> web server -- (eth0--br0--eth1) -- web client
>
>
> # iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 \
> -j MARK --set-mark 1
>
> doesn't set mark to 1.
Find out which interface is used using LOG. There is a physdev-match
for use with briding, perhaps this is what you need.
Regards
Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: --in-interface and --out-interface issue on bridge
2005-04-24 16:28 ` Patrick McHardy
@ 2005-04-24 17:05 ` Wang Jian
0 siblings, 0 replies; 3+ messages in thread
From: Wang Jian @ 2005-04-24 17:05 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Hi Patrick McHardy,
Thanks a lot for your hint.
Just in curiousness: when and why the -i and -o don't match on bridge's
physic device? A lot of documents on bridging firewall give example
using -i and -o.
On Sun, 24 Apr 2005 18:28:17 +0200, Patrick McHardy <kaber@trash.net> wrote:
> Wang Jian wrote:
> > Hi,
> >
> > During my test, I find that --in-interface doesn't work as I expected.
> >
> > web server -- (eth0--br0--eth1) -- web client
> >
> >
> > # iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 \
> > -j MARK --set-mark 1
> >
> > doesn't set mark to 1.
>
> Find out which interface is used using LOG. There is a physdev-match
> for use with briding, perhaps this is what you need.
>
> Regards
> Patrick
--
lark
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-24 17:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-04-21 7:41 --in-interface and --out-interface issue on bridge Wang Jian
2005-04-24 16:28 ` Patrick McHardy
2005-04-24 17:05 ` Wang Jian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.