[Bridge] interaction of bridge with netfilter

Joubert Berger joubertb at gmail.com
Wed Feb 6 12:07:26 PST 2008


I am seeing some strange behavior and was hoping someone might be able to
shed some light
on what I am seeing.

First my setup:
Running rhel4 (2.6.9-42-EL kernel)

----> (eth1) Linux Bridge (eth2) -->  10.10.3.101

I only have one machine sitting off of eth2.

I have the iptables rule:

iptables -A FORWARD -j LOG

So, I am logging everything that goes over the bridge.  I
am expecting to see all traffic to 10.10.3.101 and anything that
is broadcast address. (Is that a correct assumption?)

I was looking at http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png,
and if I read it correctly, the bridge decision is being done before the
packet reaches the FORWARD chain of the filter table.

The problem is that I am seeing SYN packets for machines that are
not on the eth2 segment of the bridge.  Is this correct behavior?  I am
seeing
the packet in the LOG output as well as running ethereal on eth2 shows these
packets.

Anyone have any ideas why this is happening?  Or is it working as expected?

--joubert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/2008020=
6/00f204e6/attachment.htm


More information about the Bridge mailing list