Hello, I'm using bridge-nf-0.0.10-against-2.4.19.diff patch against RHL73 kernel.
Here: a.b.c.1 -- an outside host a.b.c.47 -- bridge IP address (assigned on br0) a.b.c.49 -- protected host behind the bridge This doesn't work when I want to generate TCP resets on the bridge, with a rule like: iptables -A FORWARD -p TCP -j REJECT --reject-with tcp-reset I log this and I get: Nov 2 13:34:31 muuri kernel: disallowed by default: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=a.b.c.1 DST=a.b.c.49 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=63218 DF PROTO=TCP SPT=4666 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 And I get the message to the kernel log: Nov 2 13:34:31 muuri kernel: br_netfilter: bridge_or_route hack doesn't work Regular reject works, of course, but it seems to be using the bridge's IP address instead of the destination (but this may be a feature -- not sure how it worked on bridge+ipchains on 2.2 kernels): 13:37:40.901535 a.b.c.1.4426 > a.b.c.49.domain: 10622+ A? www.xxx.fi. (28) (DF) 13:37:40.901726 a.b.c.47 > a.b.c.1: icmp: a.b.c.49 udp port domain unreachable [tos 0xc0] -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
