Jonathan Thibault wrote: > I am trying to use connmark based on the bridge output port. > > Normally, I would: > > ... > iptables -t mangle -A VMARK -i out -m physdev --physdev-out in.15 -j MARK > --or-mark 0x00F > ... > iptables -t mangle -A VMARK -j CONNMARK --save-mark > > (VMARK is called in -t mangle POSTROUTING) > > But since this traffic is routed and not bridged, I get the expected: > > "physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING > chains for non-bridged traffic is not supported anymore." > > Now I could use ebtables to perform the mark in, say, filter FORWARD, but > would it know which member interface the packets are going if the traffic is > not being bridged? And if so, would the mark appear in time for me to -j > CONNMARK --save-mark in POSTROUTING/VMARK? > > I obviously could try it to see if it works, but I'd rather *understand* what > I'm doing first ;)
If you want to try and understand the relation between ebtables and routing, have a look at http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and in particular at the nice picture at the end : http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png 'hope this helps. Nicolas. _______________________________________________ Bridge mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/bridge
