Hello netfilter team, Since the bridge-netfilter code is in the 2.5 kernel, Linux networking life gets some new interesting problems.
When a bridged IP packet is forwarded (inside the bridge code) it is seen by the iptables FORWARD chains. There the REJECT target can be used. It seems most natural that the ICMP message sent by this target should have the IP destination address of the original message, as the IP source address of the ICMP message. This should be the normal behaviour for a bridging firewall (as pointed out by Pekka Savola) because first of all the bridge device could have no IP, and secondly, the IP message wasn't destined for the bridging box (on the MAC level) so it is not good to have its IP address as source address by default. So, if I were to implement code inside ipt_REJECT.c (for 2.5) that checks if the packet is being bridged and we are on the NF_IP_FORWARD hook. And if so, it uses the destination address of the original packet as the source address of the ICMP message. Would this then be accepted (if it looks ok)? Ofcourse, this code would only be compiled if the bridge is enabled. One can then use SNAT to force the IP address of the bridge instead of this default behaviour, if needed. -- cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
