[Firehol-support] message from xt_physdev when running firehol in bridge configuration

Tsaousis, Costa costa at tsaousis.gr
Tue Nov 18 23:24:15 GMT 2014 

Hi JT.

Thanks for the tip.
New options available:

physdev match options:
 [!] --physdev-in inputname[+]          bridge port name ([+] for wildcard)
 [!] --physdev-out outputname[+]        bridge port name ([+] for wildcard)
 [!] --physdev-is-in                    arrived on a bridge device
 [!] --physdev-is-out                   will leave on a bridge device
 [!] --physdev-is-bridged               it's a bridged packet

In your example you have used --physdev-is-bridged
As I understand it, we have to use:

--physdev-is-bridged in routers
--physdev-is-in at the input of interfaces
--physdev-is-out at the output of interfaces

Since I cannot test it, I need your help to figure this out.
Do you agree?

Costa



On Tue, Nov 18, 2014 at 9:26 PM, JT <admin at jtlabs.net> wrote:
> I'm having the same problem using bridged traffic. My resolution has
> been to write my own manual iptables entries in firehol.conf.
>
> vif+  <> br0 <> br1<> eth1
>           /\
>           \/
>          eth0
>
> br0 and br1 have physical address associated with them (eth0/vif+ and
> eth1 respectively). Whenever I try to route or create interface rules
> with a physout/physin I get the syslog message (even though it is
> bridged traffic). Please let me know if it's user error.
>
> For example, firehol.conf has:
> router vm2inet inface vif+ outface br0 physout eth0
>     route all               accept
>
> which generates:
> "xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING
> chains for non-bridged traffic is not supported anymore."
>
> instead I use:
> iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-in vif+
> --physdev-out eth0 -j ACCEPT
>
> So far any combination of inface/outface/physin/physout generates the
> message. Let me know what other information I can provide.
>
> Thanks,
>
> JT
>
> On 11/18/2014 9:12 AM, Tsaousis, Costa wrote:
>> Hi Phineas,
>>
>> Can you trace it down?  Are you using physin/out on non-bridged traffic only?
>> Try to run a few commands by hand to check which ones complain.
>>
>> Regards,
>>
>> Costa
>>
>>
>>
>> On Tue, Nov 18, 2014 at 3:59 PM, Phineas Gage <phineas919 at gmail.com> wrote:
>>> Hi,
>>>
>>> I’m getting this message many times in my syslog when running firehol:
>>>
>>> xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
>>>
>>> This happens only when I use either the ‘physin’ or ‘physout’ keywords on either my router definitions or route subcommands for the br0 (bridge) interface. If I omit those keywords it doesn’t happen. Can I still use ‘physin’ and ‘physout’ with my bridge somehow? They’re useful for knowing which direction the traffic is going through the bridge...
>>>
>>> Phineas
>>>
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list