Package: iptables Version: 1.4.4-2 Severity: normal Hi,
iptables(8) states: [!] --physdev-out name Name of a bridge port via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). If the interface name ends in a "+", then any interface which begins with this name will match. Note that in the nat and mangle OUTPUT chains one cannot match on the bridge output port, however one can in the filter OUTPUT chain. If the packet won't leave by a bridge device or if it is yet unknown what the output device will be, then the packet won't match this option, unless '!' is used. This doesn't work (anymore?) in the OUTPUT chain. Here's an explanation about this issue: http://www.archivum.info/netfilter/2007-09/00022/Re:_Iptables_and_bridging If eth0 and eth1 are part of bridge br0, the following command returns an error: iptables -A OUTPUT -m physdev --physdev-out eth0 -j LOG If --physdev-is-bridged is added, the rule is added but never matches. It seems, --physdev-out only works in the FORWARD chain between the bridge interfaces: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j LOG This rule is added and also matches but it gives the following error in syslog: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. My guess would be that this error message is just a false positive, but it is not very reassuring. The man page should be fixed regarding the OUTPUT chain and it should be stated somewhere, if it's OK to use --physdev-out in the FORWARD chain, despite the error message. Cheers, harry -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31.4-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables depends on: ii libc6 2.9-25 GNU C Library: Shared libraries iptables recommends no packages. iptables suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org