Here are some notes I have about Linux bridging. I'll try to separate what I know I know from what I think I know. Let's say I want to bridge eth0, eth1, and eth2 together, all with an IP Address of, say, 1.2.3.2. This is how to do it: echo "Setting up br0 to bridge eth0 with eth1 and eth2" /usr/sbin/brctl addbr br0 /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 /usr/sbin/brctl addif br0 eth2 /sbin/ip addr add 1.2.3.2/24 dev br0 /sbin/ip link set br0 up Continuing with the above example, most of the writeups also say to remove any IP Addresses from eth0, eth1, and eth2. But I've found this doesn't seem necessary - well, sort of. Let's say that eth0 is at IP Address 1.2.3.2, and now I bridge eth0, eth1, and eth2 together and give bridge br0 the same IP Address of 1.2.3.2. Now I have a mess because both eth0 and br0 have the same IP Address. Doing this: ip addr del 1.2.3.2/24 dev eth0 cleans up the mess. But let's say that physical interface eth1 has IP Address 10.0.0.1. >From testing, it looks like other systems can ping 10.0.0.1 just fine, assuming they have a route to it. So I **think** I know that I can assign an IP Address to a raw interface, as long as it's a different IP Address than what I assigned to the overall bridge. But I haven't seen this capability documented anywhere. Let's say the bridge is up and working at IP Address 1.2.3.2. I have a system at IP Address 1.2.3.1 connected via eth0. That system can ping 1.2.3.2 easily. If I disconnect the Ethernet cable from eth0 and plug into eth1 or eth2, after about 30 seconds, that bridged system begins answering pings again. As indicated in the writeups, that spare PC with a bunch of NICs is now acting like a managed Ethernet switch. Cool! Filtering iptables is a super-sophisticated toolset to filter IP packets. ebtables is another toolset to filter at the OSI layer 2 (datalink) layer. iptables concerns itself (mostly) with routing across an IP network, computer to computer. ebtables concerns itself (mostly) with filtering packets across physical NIC interfaces in the same computer. Here is a great writeup on using ebtables and iptables together: http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html But - like everything I've been able to find so far, I don't think this writeup is completely accurate. iptables has a module called physdev. According to the writeup, I can use the iptables physdev module to filter among the raw interfaces in a bridge. But a discussion in the netfilter list essentially says that physdev is being removed because it creates all kinds of other problems. At least, I think that's what it says. The relevant discussion took place in early July 2006. Here is a pointer to the beginning of the discussion: https://lists.netfilter.org/pipermail/netfilter-devel/2006-July/024896.h tml So it looks like when filtering at the network layer, (IP in this case) use iptables. When filtering at the data link layer, use ebtables and maybe arptables. Avoid using -m physdev in iptables because it's going away. You can add IP Addresses to bridged eth-- interfaces as long as they don't conflict with the bridge IP Address(es). Next up will be to try some filtering scenarios with ebtables and iptables. - Greg Scott _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
