There is a postrouting chain (bottom-left), and if packet goes to bridging after routing,
does it mean, if use-ip-fw - the packet goes through the postrouting AGAIN ? Or is it some another postrouting ?
so it’s just not working
I don’t see market packets on 3rd layer postrouting chain, and that explains why out-bridge-port matcher not working also asked here
Does anyone know how it’s supposed to work in theory ? Because there is no much explanation in documentation once again(
I saw a bridge postrouting chain on netfilter diagram, but I doubt it’s the same as we have here
No. After ip-fw packets go straight out to destination bridge ports, they don’t loop through routing etc. again.
On the other hand, setting “use-ip-firewall” doesn’t apply to routed packets at all (it’s mentioned in Bridge manual, in the explanation of this setting). Because the whole diagram shown in opening post doesn’t apply (bridging means L2 operation between bridge ports, excluding CPU-facing bridge port).
Note that ip firewall rules act slightly differently when called for bridged packets than when called for IP routed packets. For example, out-interface and in-interface are not known (or are both set to bridge interface), but there are in-bridge-port and out-bridge-port which are not available for normal IP firewalling. Etc.
No. After ip-fw packets go out to destinatikn bridge ports, they don’t loop through routing etc.
Which means that ip firewall rules act slightly differently when called for bridged packets than when called for IP routed packets. For exampke, out-interface and in-interface are not known (or are both set to bridge interface), but there are in-bridge-port and out-bridge-port which are not available for normal IP firewalling. Etc.
Thanks @mkx
Do I get it right: a bridge packet goes through the routing chains only if it comes to a bridged port (the A entrance) ?
That’s how I understand the explanation of packet flow.