Bug#555471: iptables: Error in manpage: --physdev-out only works in FORWARD

[Harald Braumann]

Package: iptables
Version: 1.4.4-2
Severity: normal

Hi,

iptables(8) states:

       [!] --physdev-out name
              Name of a bridge port via which a packet is going to be sent 
              (for packets entering the FORWARD, OUTPUT and POSTROUTING 
              chains). If the  interface name ends in a "+", then any 
              interface which begins with this name will match. Note that in 
              the nat and mangle OUTPUT chains one cannot match on the bridge 
              output port, however one can in the filter OUTPUT chain. If the 
              packet won't leave by a bridge device or if it is yet unknown 
              what the output device will be, then the packet won't match this 
              option, unless '!' is used.

This doesn't work (anymore?) in the OUTPUT chain. Here's an explanation about 
this issue: 
  http://www.archivum.info/netfilter/2007-09/00022/Re:_Iptables_and_bridging

If eth0 and eth1 are part of bridge br0, the following command returns an error:
  iptables -A OUTPUT -m physdev --physdev-out eth0 -j LOG

If --physdev-is-bridged is added, the rule is added but never matches.

It seems, --physdev-out only works in the FORWARD chain between the bridge 
interfaces:
  iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j LOG

This rule is added and also matches but it gives the following error in syslog:
  physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
  chains for non-bridged traffic is not supported anymore.

My guess would be that this error message is just a false positive, but
it is not very reassuring.

The man page should be fixed regarding the OUTPUT chain and it should be stated
somewhere, if it's OK to use --physdev-out in the FORWARD chain, despite the
error message.

Cheers,
harry



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31.4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iptables depends on:
ii  libc6                         2.9-25     GNU C Library: Shared libraries

iptables recommends no packages.

iptables suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org