RE: Iptables: Matching packets leaving a bridged interface

[Jamie Cockburn <jcockburn@bloxx.com>]

Pascal!

Thanks for getting back to me.  Very helpful information!

Pascal Hambourg wrote:
> Because the packet is not bridged, as eth2 is not part of the bridge. So  it won't follow the FORWARD bridging path but the FORWARD IP routing path.
>
> See the packet flow diagram in <http://en.wikipedia.org/wiki/Netfilter>.

I think I follow... So based on the diagram, my packet is initially hitting "bridge check", heading along the green "network layer" path, hitting "routing decision", and dropping down into the blue "link layer" path.  Hence, until it gets to ebtables -> nat -> output, it's not gone anywhere near the bridging mechanism, so has never has PHYSOUT set.

Couple of follow-up question then!

1: Do you know if by the time it reaches ebtables -> filter -> output that the packet will have a PHYSOUT (or equivalent) set?

2: Will I be able to differentiate between packets for eth0 and eth1 (when the bridge doesn't know which specific interface it should send it on).

Now I need to complicate my original scenario...say I want to drop packets the originate from eth2 (the non-bridged interface) and will egress on eth0.

3: I'm guessing that by the time the packet hits ebtables -> filter -> output, that it will have lost its IN/PHYSIN?

4: If that is the case, would something like this work:
      - In iptables -> filter: -A FORWARD -i eth2 -o br0 -j MARK --set-mark 1234
      - In ebtable -> filter: -A OUTPUT -physdev-out eth0 --m mark --mark 1234 -j DROP

Jamie

-----Original Message-----
From: Pascal Hambourg [mailto:pascal@plouf.fr.eu.org] 
Sent: 25 June 2014 10:58
To: Jamie Cockburn
Cc: netfilter@vger.kernel.org
Subject: Re: Iptables: Matching packets leaving a bridged interface

Hello,

Jamie Cockburn a écrit :
> 
> Given a setup with eth0 and eth1 in a bridge br0 and a third interface eth2.
> 
> In this scenario, lets say I want TCP port 80 traffic to be dropped if it is going to the network attached to eth0, but allow it to eth1.
> 
> I am therefore trying to reliably match packets that go out over the specific interface eth0.
> 
> If I add the following iptables rule in the filter table:
> 
>     -A FORWARD -o br0 --physdev-out eth0 -j LOG
> 
> Given a packet that originates from eth1 (the other half of the bridge), then the rule matches just fine, logging:
> 
>     ... IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 ...
> 
> However if the packet origniates from eth2, then the rule no longer matches.
Report this message as spam http://joey.alba.local/quarantine/notifications/reportspam/message/1813852/check/9da66caf713bf11249ee4bc6db23fa2f