coredump
2010-07-21 05:10:39
Because of the br-nf code that is available as a patch to linux 2.4 and used in linux 2.6:
The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets.
Since the traffic you are working is ip, iptables rules still apply because of br-nf passing the bridged packets to iptables.
This is a great resource to read about the interaction and this one details the functionality of br-nf code, including how to disable all or some of the functionalities (i.e. not passing bridge traffic to iptables).
The functionality is not working on 4.4.0-22-generic (ubuntu 16.04), even after I did
echo "1" > /sys/devices/virtual/net/br0/bridge/nf_call_arptables. Any ideas?Answering myself: # Load br_netfilter modprobe br_netfilter # Add to BROUTING chain rule to forward all ipv4 packets to iptables ebtables -t broute -A BROUTING -p ipv4 -i br0 -j DROP