Oops guys, I am so sorry with my miserable quote style ... thank you Lennert for your prompt reply. Let me restate my problem below.
> -----Original Message----- > From: Lennert Buytenhek [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 31, 2002 12:01 PM > To: indra g. harijono > Cc: [EMAIL PROTECTED] > Subject: Re: [Bridge] Bridge and netfilter patch > > > > On Thu, Jan 31, 2002 at 10:00:21AM -0500, indra g. harijono wrote: > > > Hi Lennert, > > Hi, > > Can you please quote stuff properly next time? > > > > > > I am (roughly) thinking when netfilter has PREROUTING, FORWARD and > > > > POSTROUTING filter, maybe bridge should be defined like > PREIP, BFORWARD > > > and > > > > POSTIP ? > > > > > > Why? > > > > Based on my understanding, I can use bridge and ignore the > routing process > > (ip stack). > > Yes. > > > > But sometime I would like to filter the packets (for forwarding) > > on the bridge level and/or also to pass to ip stack to do ip router > > functionalities. > > I'm not sure what you mean here. > > > > On the ip stack I would like to do filtering again with the > > netfilter architecture. Therefore I was thinking like that, or > do you have > > comments or ideas ? > > Hmm. > > What you basically want is to do filtering twice, right? Well, > in iptables > we don't do things that way. The basic difference between ipchains and > iptables is that in ipchains, forwarded packets pass through > input-forward-output, and in iptables, they pass only through FORWARD. > > I went through some effort to make sure that cases like 'packet from > bridge device is routed to another bridge device' still see the FORWARD > chain only once instead of three times, or INPUT-FORWARD-OUTPUT or > whatever, and I think I did the right thing with this. > > [ Not in the least because in my 'career' as free software > developer I have > noticed that users will (whether intentionally or unintentionally) screw > up whereever they can, and doing things this way gives me the ability to > say 'read a netfilter HOWTO' and be done with it ;-) ] > > Having read this, can you restate what you meant earlier? > > Yes, I would like to filter several times. maybe I need to study netfilter architecture deeper. I thought netfilter including iptables indeed handle the chains input-forward-output as opposite of what you mentioned above. My problem is I would like to filter in the bridge level, let's say every (IP) packets with destination of host X.X.X.X, when I find those packets, I would like those packets to be stolen and passed to ip stack, and there I would like to write an iptable rules to filter e.g. only packets with port number 21 and matched (dealt) with my module or delivered to my application using the iptable queue. Unfortunately I still do not have a configuration or source code to show it (maybe in several weeks would be possible). But whatever the cases are, I would like to filter the packets several times on different level (bridge/routing). Lehnert, Thank you for your continous discussion effort. I just have a confidence that bridge can be a very helpful and practical utilities to leverage the use of (my) network (services) as netfilter architecture as well. > thanks, > Lennert ciao indra _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
