Pascal Hambourg wrote: > Hello, > > Philip A. Prindeville a écrit : >> I have a DSL card (a Traverse Technologies Solos ATM/DSL card) than >> exposes a PPPoE adaptation layer as an ethernet interface (nas0). > > I guess you mean ethernet/LLC AAL5 instead of PPPoE. > >> I've set up bridging (br0=eth0+nas0). And I'm using an iptables based firewall >> (Arno's iptables firewall 1.9.2c). >> >> I'm running PPP over br0. (Why did I do this? So I could stick a >> packet sniffer on eth0 and get traces of everything going out over the >> DSL...) > > Prepare to be disappointed. A bridge port does not see traffic that > flows between other ports. Oh, right. I was confused. I was thinking of actually having an "FBI jack" for watching traffic. Does that use the 'TEE' target, or what? -Philip >> Problem is, I can't tell if I need to set my external (ingress) interface to br0, >> or to ppp0... because the logs show both (IN=br0 and IN=ppp0) -- even for the same >> packet! Not sure why. >> >> Any suggestions (besides "don't use bridging!!!")? >> >> Is this an artifact of PPP and pseudo-interfaces, or of bridging, or both? > > I didn't watch your logs closely, but this might be caused by bridge-nf > which passes bridged IP packets to iptables. Since Linux 2.6.22 it can > even pass IP packets encapsulated in PPPoE frames. Useful when you want > to setup a filtering bridge, but may have undesirable effects when you > want a plain transparent bridge. And you know what ? This is enabled by > default. If you don't need/want iptables to see bridged traffic > (iptables will still see normal routed IP trafic at bridge interfaces), > clear all parameters in /proc/sys/net/bridge/, specially > bridge-nf-filter-pppoe-tagged. -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
