[PATCH] support --physdev-out for routed packets

Philip Craig philipc at snapgear.com
Fri Jul 13 02:58:03 CEST 2007

Patrick McHardy wrote:
> Its probably also racy wrt. fdb changes.

Yes.  It could modify the bridging code to only forward to the
physoutdev stored in nf_bridge, or store the fdb result in
nf_bridge and avoid the second fdb lookup.

> The thing I still don't get
> is .. if you combine a bunch of devices in a bridge, why would you
> care which port a packet will leave through? If you already know
> behind which port something is reachable, why use a bridge? And if
> you don't know I suppose you have nothing to filter by.

The devices in the bridge represent different security zones.
Using a bridging firewall gives physical separation of these zones
without requiring additional IP networks or configuration changes
for the machines on those networks.  The security policy has rules
defined primarily in terms of the zones, not the individual machines
in those zones.  Matching on just IP address is not enough, because
it does not enforce the physical separation.

We definitely could configure the firewall to know which address
is behind which port, and enforce this in ebtables.  This is the
solution Shorewall has used (I haven't looked to see if it enforces
the ports).  But that requires more configuration.  Basically it is
just a convenience argument.  I'll definitely be trying to migrate
things to this setup though.

More information about the netfilter-devel mailing list