does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ? Or is it some another postrouting ?
Bridging packet flow
There is a postrouting chain (bottom-left), and if packet goes to bridging after routing,
does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ? Or is it some another postrouting ?
does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ? Or is it some another postrouting ?
Re: Bridging packet flow
so it's just not working
I don't see market packets on 3rd layer postrouting chain, and that explains why out-bridge-port matcher not working also asked here
Does anyone know how it's supposed to work in theory ? Because there is no much explanation in documentation once again(
I saw a bridge postrouting chain on netfilter diagram, but I doubt it's the same as we have here
I don't see market packets on 3rd layer postrouting chain, and that explains why out-bridge-port matcher not working also asked here
Does anyone know how it's supposed to work in theory ? Because there is no much explanation in documentation once again(
I saw a bridge postrouting chain on netfilter diagram, but I doubt it's the same as we have here
Re: Bridging packet flow
There is a postrouting chain (bottom-left), and if packet goes to bridging after routing,
does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ?
No. After ip-fw packets go straight out to destination bridge ports, they don't loop through routing etc. again.
On the other hand, setting "use-ip-firewall" doesn't apply to routed packets at all (it's mentioned in Bridge manual, in the explanation of this setting). Because the whole diagram shown in opening post doesn't apply (bridging means L2 operation between bridge ports, excluding CPU-facing bridge port).
Note that ip firewall rules act slightly differently when called for bridged packets than when called for IP routed packets. For example, out-interface and in-interface are not known (or are both set to bridge interface), but there are in-bridge-port and out-bridge-port which are not available for normal IP firewalling. Etc.
Re: Bridging packet flow
There is a postrouting chain (bottom-left), and if packet goes to bridging after routing,
does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ?
No. After ip-fw packets go out to destinatikn bridge ports, they don't loop through routing etc.
Which means that ip firewall rules act slightly differently when called for bridged packets than when called for IP routed packets. For exampke, out-interface and in-interface are not known (or are both set to bridge interface), but there are in-bridge-port and out-bridge-port which are not available for normal IP firewalling. Etc.
Re: Bridging packet flow
Thanks @mkx
Do I get it right: a bridge packet goes through the routing chains only if it comes to a bridged port (the A entrance) ?
Do I get it right: a bridge packet goes through the routing chains only if it comes to a bridged port (the A entrance) ?
Re: Bridging packet flow
That's how I understand the explanation of packet flow.