[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    --in-interface and --out-interface issue on bridge
From:       Wang Jian <lark () linux ! net ! cn>
Date:       2005-04-21 7:41:58
Message-ID: 20050421151458.03C6.LARK () linux ! net ! cn
[Download RAW message or body]

Hi,

During my test, I find that --in-interface doesn't work as I expected.

  web server -- (eth0--br0--eth1)  -- web client


# iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 \
	-j MARK --set-mark 1

doesn't set mark to 1.

I google a while and read some pages that use such a rule for bridged
firewall.

# iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
	-j ACCEPT

I test this rule and fail

# iptables -t mangle -A FORWARD -i eth0 -p tcp --sport 80 \
	-j MARK --set-mark 1

If I removed -i eth0 or use -i br0 instead, then the mark is set.

I looked into net/core/dev.c and net/bridge/* and didn't get clue about
this.

kernel is vanilla 2.6.11 with bridge packet filtering on.


-- 
  lark


[prev in list] [next in list] [prev in thread] [next in thread]