Hello, After extensive testing I found DNAT'ing on PREROUTING not to work like I assume we want it to. A simple configuration: two physical nics, belonging to the logical bridge device: br0=eth0+eth1. Say computer A is on the eth0 side, computer B is on the eth1 side (same netmask).
computer A pings the bridge, but in the iptables PREROUTING chain it says this traffic has to be DNAT'ed to computer B. So, I hope you agree this is still bridged traffic. Well, according to 0.0.6 this is routed traffic. The reason is that ip_route_input() will only fail if it has no route to the destination or if ip forwarding is disabled. So, on the DNAT above it will not fail. As a consequence br_nf_pre_routing_finish() changes the MAC destination address so the packet will be routed. The way to use ip_route_input() is as follows: If it fails we drop the packet after giving a message to the log if ip forwarding is disabled. If it doesn't fail, we look if (skb->dst->dev == skb->dev). If this is true, the packet is destined for the same bridge device and the packet is a bridged packet. Else it's a routed packet. I have made a patch that includes this (and more), see the next mail. cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
