Hi,
We find a bug in current bridge+netfilter code: when in routing mode
and the out device is bond to a logical bridge device, the FORWARD
chain of the mangle table couldn't see the real(or physical) out device.
The test scenario is like this:
_______
| |eth2
| |-------| brg0
eth0 | | eth1 |
A------>| |-------|-------->B
|_Linux_ |
eth1 and eth2 are bond to make a bridge device brg0, host A connects
linux box through eth0, host B connects through eth1.
>From A pinging B,
in FORWARD chain of filter table, the real and logical in/out device
could be seen as expected:
$iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 372 packets, 22320 bytes)
pkts bytes target prot opt in out source destination
186 11160 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
186 11160 all -- eth1 * 0.0.0.0/0 0.0.0.0/0
186 11160 all -- brg0 * 0.0.0.0/0 0.0.0.0/0
186 11160 all -- * eth0 0.0.0.0/0 0.0.0.0/0
186 11160 all -- * eth1 0.0.0.0/0 0.0.0.0/0 <---
186 11160 all -- * brg0 0.0.0.0/0 0.0.0.0/0
But in mangle table, only the logical out device could be seen.
$iptables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 380 packets, 22800 bytes)
pkts bytes target prot opt in out source destination
190 11400 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
190 11400 all -- eth1 * 0.0.0.0/0 0.0.0.0/0
190 11400 all -- brg0 * 0.0.0.0/0 0.0.0.0/0
190 11400 all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0
<---
190 11400 all -- * brg0 0.0.0.0/0 0.0.0.0/0
If eth0,eth1,eth2 are bond to one bridge device, there is no such problem.
We use nf-0.0.7 against 2.4.18.
Best,
Zeng Yu
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge