path: root/docs/br_fw_ia
diff options
authorBart De Schuymer <>2002-09-27 16:40:13 +0000
committerBart De Schuymer <>2002-09-27 16:40:13 +0000
commit611c23e9abdbeca300467305b62b9c0f7bf3cd69 (patch)
tree436dbe2e7cd9d0a5c5c13ef090b388767242ccc7 /docs/br_fw_ia
parent61d8e48e9fdbbd5d2098ad436eb8806030431536 (diff)
deal with fact that ebtables is inside 2.5.x
Diffstat (limited to 'docs/br_fw_ia')
1 files changed, 4 insertions, 8 deletions
diff --git a/docs/br_fw_ia/br_fw_ia.html b/docs/br_fw_ia/br_fw_ia.html
index 174c293..aee5ae4 100644
--- a/docs/br_fw_ia/br_fw_ia.html
+++ b/docs/br_fw_ia/br_fw_ia.html
@@ -63,16 +63,12 @@
This document describes how <EM>iptables</EM> and
<EM>ebtables</EM> filtering tables interact on a Linux-based bridge.<BR>
Getting a bridging firewall consists of patching the kernel source
- code with two patches.
- The first patch adds <EM>ebtables</EM> support in the kernel.
- The second patch is called "br-nf-bds" and makes
- bridged IP frames/packets go through the <EM>iptables</EM> chains.
+ code with one or two patches.
+ Kernels 2.5.39 and above only need the "br-nf-bds" patch, since ebtables has been integrated in the 2.5.x series.
+ For other kernels, you need to first apply the patch that adds <EM>ebtables</EM> support in the kernel.
+ The "br-nf-bds" patch makes bridged IP frames/packets go through the <EM>iptables</EM> chains.
<EM>Ebtables</EM> filters on the Ethernet layer, while <EM>iptables</EM>
only filters IP packets.<BR>
- It is possible to use <EM>ebtables</EM> without compiling the br-nf-bds
- code into the kernel; and vice versa. The only reason why the br-nf-bds
- patch has to be applied after the <EM>ebtables</EM> patch is because
- some files are changed by both patches.<BR>
The explanations below will use the TCP/IP Network Model.
It should be noted that the br-nf-bds patch sometimes violates the
TCP/IP Network