[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bridge
Subject:    Re: [Bridge] a patch against the 2.4.3 netfilter/iptables patch
From:       Lennert Buytenhek <buytenh () gnu ! org>
Date:       2001-05-18 22:46:03
[Download RAW message or body]


On Mon, May 07, 2001 at 06:27:37PM +0200, Bart De Schuymer wrote:

> Hello,

Hi,


> I have gotten bridging + firewalling to work on a kernel v. 2.4.3. The
> firewalling includes connection tracking and the ftp-module.

Great!!!


> These things I changed:
> 
> - /net/bridge/netfilter/Makefile
> deleted the line that made the netfilter module be always resident in the
> kernel.

Applied.


> - /net/bridge/netfilter/br_passthrough.c
> IP-packets on all 5 hooks get sent to the netfilter code.

As discussed in private email, this is probably necessary for connection
tracking, but I'm worried about the issue of orthogonality (bridge INPUT/OUTPUT
and IP INPUT/OUTPUT hooks). Applied for now.


> - /net/bridge/br_forward.c
> Created the LOCAL_OUT hook, the old code only used 4 hooks. Connection
> tracking for locally generated packets can't work without a LOCAL_OUT hook.

Applied, see note above.


> - /net/bridge/br_device.c
> changed a line back to it's original look (so as it is in the standard
> kernel). Without this change the bridging computer couldn't communicate with
> other computers (e.g. ping's didn't work). Don't ask me why exactly it now
> works and didn't then though... I just had this problem and knew I could
> ping with the standard kernel working as a bridge so I looked what was
> different and this was what I found...

Applied, added FIXME comment.

	http://bridge.sf.net/devel/bridge-nf/bridge-nf-20010519-against-2.4.4-1.diff

I'd love to think we're a step closer to transparent stateful firewalls now.
People, please test this patch.


cheers,
Lennert

[prev in list] [next in list] [prev in thread] [next in thread]