On Sun, 21 Oct 2007 00:21:57 -0400 [EMAIL PROTECTED] wrote: > Hello folks, I'm hoping someone can help me here. I'll try to describe the > problem in detail. > > I'm attempting to set up a bridging firewall using libipq. I'm running on > Ubuntu Server 7.04, out of the box kernel (2.6.20) > My bridge is set up with the following commands: > -- > brctl addbr br0 > brctl stp br0 off > brctl addif br0 eth1 > brctl addif br0 eth2 > ifconfig eth1 down > ifconfig eth2 down > ifconfig eth1 0.0.0.0 up > ifconfig eth2 0.0.0.0 up > ifconfig br0 0.0.0.0 up > -- > > IP queue is set up with the following: > -- > iptables -A FORWARD -j QUEUE > modprobe ip_queue > -- > > > The bridge works fine. Traffic is sent back and forth. My libipq app can see > traffic and stop it. However, one thing I would like to be able to find out > in user space is which interface a packet arrived on (ie/ which direction > it's going). As far as IPQ is concerned, all packets are arriving and leaving > on br0. > After reading a bit more about netfilter, iptables and the FIREWALL document > distributed with brctl, I figured my best bet would be do something like this: > iptables -A INPUT -i eth1 -j MARK --set-mark 1 > iptables -A INPUT -i eth2 -j MARK --set-mark 2 > > This way I could just check the mark value when the packet got sent to QUEUE > (and up to user space) from the FORWARD chain. However, this doesn't work. > From everything I can tell, packets traversing the bridge do not even go > through the INPUT chain, as I can put in this rule: > iptables -A INPUT -j DROP > > yet traffic still flows through fine (as long as my libipq app is running). > > > Does anyone here have any ideas? I would really appreciate any suggestions. > > Cheers, > David Vessey > >
Ask on netfilter-devel mailing list and Patrick McHardy. -- Stephen Hemminger <[EMAIL PROTECTED]> _______________________________________________ Bridge mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/bridge
