On Thu, Jan 31, 2002 at 10:00:21AM -0500, indra g. harijono wrote:
> Hi Lennert, Hi, Can you please quote stuff properly next time? > > > I am (roughly) thinking when netfilter has PREROUTING, FORWARD and > > > POSTROUTING filter, maybe bridge should be defined like PREIP, BFORWARD > > and > > > POSTIP ? > > > > Why? > > Based on my understanding, I can use bridge and ignore the routing process > (ip stack). Yes. > But sometime I would like to filter the packets (for forwarding) > on the bridge level and/or also to pass to ip stack to do ip router > functionalities. I'm not sure what you mean here. > On the ip stack I would like to do filtering again with the > netfilter architecture. Therefore I was thinking like that, or do you have > comments or ideas ? Hmm. What you basically want is to do filtering twice, right? Well, in iptables we don't do things that way. The basic difference between ipchains and iptables is that in ipchains, forwarded packets pass through input-forward-output, and in iptables, they pass only through FORWARD. I went through some effort to make sure that cases like 'packet from bridge device is routed to another bridge device' still see the FORWARD chain only once instead of three times, or INPUT-FORWARD-OUTPUT or whatever, and I think I did the right thing with this. [ Not in the least because in my 'career' as free software developer I have noticed that users will (whether intentionally or unintentionally) screw up whereever they can, and doing things this way gives me the ability to say 'read a netfilter HOWTO' and be done with it ;-) ] Having read this, can you restate what you meant earlier? thanks, Lennert _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
