[Bridge] ebtables/iptables ambiguity

Nicolas de Pesloüan nicolas.2p.debian at free.fr
Tue Dec 22 13:43:11 PST 2009


Jonathan Thibault wrote:
> I am trying to use connmark based on the bridge output port.
> 
> Normally, I would:
> 
> ...
> iptables -t mangle -A VMARK -i out -m physdev --physdev-out in.15 -j MARK --or-mark 0x00F
> ...
> iptables -t mangle -A VMARK -j CONNMARK --save-mark
> 
> (VMARK is called in -t mangle POSTROUTING)
> 
> But since this traffic is routed and not bridged, I get the expected:
> 
> "physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore."
> 
> Now I could use ebtables to perform the mark in, say, filter FORWARD, but would it know which member interface the packets are going if the traffic is not being bridged?  And if so, would the mark appear in time for me to -j CONNMARK --save-mark in POSTROUTING/VMARK?
> 
> I obviously could try it to see if it works, but I'd rather *understand* what I'm doing first ;)

If you want to try and understand the relation between ebtables and routing, have a look at 
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and in particular at the nice picture at the 
end : http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png

'hope this helps.

	Nicolas.


More information about the Bridge mailing list