Interface matching of firewall forwarding rules

Damien Miller (dmiller@ilogic.com.au)
Fri, 19 Feb 1999 13:40:26 +1100 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: =?ISO-8859-1?Q?Andr=E9_Dahlqvist?=: "Re: 2.2.1 and my Laserjet"
Previous message: Ben Hutchings: "Re: bug or feature?"
Next in thread: Paul Rusty Russell: "Re: Interface matching of firewall forwarding rules"
Maybe reply: Paul Rusty Russell: "Re: Interface matching of firewall forwarding rules"

We have just noticed something curious when examining the
CONFIG_IP_FIREWALL_VERBOSE outputs of onw of our firewalls.

It seems that packets rejected by forwarding rules are done so
based on their outgoing interface, rather than the incoming one.

The behaviour seems to apply to kernel 2.0.36 and 2.2.1pre4.

This seems counter-intuitive, I would expect the firewall code to
match the interface that the packet was received on.

The docs for ipchains and ipfwadm are ambiguous, stating that
matches occur based upon the "name of an interface via which a
packet is received, or via which is packet is going to be sent."

Can anyone offer a rationale for this behaviour?

Thanks,
Damien Miller

-- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.ilogic.com.au/~dmiller | Email: dmiller@ilogic.com.au (home) -or- damien@ibs.com.au (work)

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: =?ISO-8859-1?Q?Andr=E9_Dahlqvist?=: "Re: 2.2.1 and my Laserjet"
Previous message: Ben Hutchings: "Re: bug or feature?"
Next in thread: Paul Rusty Russell: "Re: Interface matching of firewall forwarding rules"
Maybe reply: Paul Rusty Russell: "Re: Interface matching of firewall forwarding rules"