Ebtables hook order anomaly (was: ebtables and iptables different behavior between 2.6.18 on fc6 and 2.6.23 on fc8)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Tuesday 2008-03-25 03:28, Jan Engelhardt wrote:



 None of my packets that were supposed to have that "3" mark ever kept
 them.  For some reason, they either never were marked or they were
 marked and then the mark disappeared.


I can reproduce it. [...]
Now that is indeed interesting. I had this thought, maybe the mark does not disappear, maybe ebtables is run -- contrary to most graphics depicting the netfilter flow -- _after_ iptables. So I tried: 

	 iptables -t mangle -A POSTROUTING -j LOG --log-prefix "[ipt] " -d
	 134.76.13.21
	 ebtables -A OUTPUT -p ipv4 --ip-destination 134.76.13.21 --log
	 --log-prefix "[ebt] "

with the result of:

	 [214961.190130] [ipt] IN= OUT=br0 SRC=10.10.106.161 DST=134.76.13.21
	 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
	 ID=59252 SEQ=1

	 [214961.190186] [ebt]  IN= OUT=sis0 MAC source = 00:0a:e6:98:ed:d7
	 MAC
	 dest = 68:a8:3e:d3:d0:fb proto = 0x0800
which means ebtables actually comes after iptables, and hence, your mark 3 will not show up as you expected. 


 So my questions - what changed with the interaction betweem iptables and
 ebtables?


I'm going to figure out now...


I tested a 2.6.18 and experienced the same order of [ipt] and [ebt].
This means that trying to

	$EBTABLES -t filter -A OUTPUT -o $INET_IFACE \
	-j mark --mark-set 3 --mark-target CONTINUE

you will never see mark 3 (at least not when generated in ebt/OUTPUT)
in iptables again.


->

Altogether, this made me re-evaluate the Netfilter hook/table
ordering as to wtf is going on. The end result? I was surprised to
notice an odd order of packet flow inside Ebtables, depicted in the
updated image at http://jengelh.hopto.org/images/nf-packet-flow.png
it certainly explains things going not as expected on Greg's side.
I used -j TRACE for iptables and --log in ebtables to find the actual order, and something additionally has catched my eye. 

This is the syslog dump on a router confused with an IP-less
br0 bridge enslaving rtl0 and vmnet1 (i.e. a pure passthru bridge).


From what can be observed, the ICMP Echo Reply packet (the last line

with 06:54:30, and also :31, and so on) is not hitting
TRACE:nat:POSTROUTING --- only the ICMP Echo Request is. How can this
happen?


[e-n-PR] = [ebtables-{nat|filter}-{PRerouting,Forward,POstrouting}]

06:54:30 [227559.984918] [e-n-PR]  IN=rtl0 OUT= MAC source = 00:0c:29:77:f2:bd MAC dest = 00:0c:29:a4:a5:b2 proto = 0x0800
06:54:30 [227559.984976] TRACE: raw:PREROUTING:policy:2 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TY
06:54:30 [227559.985034] TRACE: mangle:PREROUTING:policy:1 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
06:54:30 [227559.985072] TRACE: nat:PREROUTING:policy:1 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TY
06:54:30 [227559.985117] [e-f-F]  IN=rtl0 OUT=vmnet1 MAC source = 00:0c:29:77:f2:bd MAC dest = 00:0c:29:a4:a5:b2 proto = 0x0800
06:54:30 [227559.985141] TRACE: mangle:FORWARD:policy:3 IN=br0 OUT=br0 PHYSIN=rtl0 PHYSOUT=vmnet1 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.985166] TRACE: filter:FORWARD:policy:5 IN=br0 OUT=br0 PHYSIN=rtl0 PHYSOUT=vmnet1 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.985188] [e-n-PO] IN= OUT=vmnet1 MAC source = 00:0c:29:77:f2:bd MAC dest = 00:0c:29:a4:a5:b2 proto = 0x0800 06:54:30 [227559.985211] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=br0 PHYSIN=rtl0 PHYSOUT=vmnet1 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.985252] TRACE: nat:POSTROUTING:policy:3 IN= OUT=br0 PHYSIN=rtl0 PHYSOUT=vmnet1 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.987300] [e-n-PR] IN=vmnet1 OUT= MAC source = 00:0c:29:a4:a5:b2 MAC dest = 00:0c:29:77:f2:bd proto = 0x0800 
06:54:30 [227559.987359] TRACE: raw:PREROUTING:policy:2 IN=br0 OUT= PHYSIN=vmnet1 MAC=00:0c:29:77:f2:bd:00:0c:29:a4:a5:b2:08:00 SRC=192.168.45.1 DST=192.168.45.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56525 PROTO=ICMP
06:54:30 [227559.987413] TRACE: mangle:PREROUTING:policy:1 IN=br0 OUT= PHYSIN=vmnet1 MAC=00:0c:29:77:f2:bd:00:0c:29:a4:a5:b2:08:00 SRC=192.168.45.1 DST=192.168.45.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56525 PROTO=I
06:54:30 [227559.987455] [e-f-F]  IN=vmnet1 OUT=rtl0 MAC source = 00:0c:29:a4:a5:b2 MAC dest = 00:0c:29:77:f2:bd proto = 0x0800
06:54:30 [227559.987479] TRACE: mangle:FORWARD:policy:3 IN=br0 OUT=br0 PHYSIN=vmnet1 PHYSOUT=rtl0 SRC=192.168.45.1 DST=192.168.45.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56525 PROTO=ICMP TYPE=0 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.987504] TRACE: filter:FORWARD:policy:5 IN=br0 OUT=br0 PHYSIN=vmnet1 PHYSOUT=rtl0 SRC=192.168.45.1 DST=192.168.45.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56525 PROTO=ICMP TYPE=0 CODE=0 ID=44042 SEQ=7 06:54:30 [227559.987525] [e-n-PO] IN= OUT=rtl0 MAC source = 00:0c:29:a4:a5:b2 MAC dest = 00:0c:29:77:f2:bd proto = 0x0800 
06:54:30 [227559.987548] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=br0 PHYSIN=vmnet1 PHYSOUT=rtl0 SRC=192.168.45.1 DST=192.168.45.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56525 PROTO=ICMP TYPE=0 CODE=0 ID=44042 SEQ=7
...repeats...
06:54:31 [227560.994489] [e-n-PR]  IN=rtl0 OUT= MAC source = 00:0c:29:77:f2:bd MAC dest = 00:0c:29:a4:a5:b2 proto = 0x0800
06:54:31 [227560.994548] TRACE: raw:PREROUTING:policy:2 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TY
06:54:31 [227560.994609] TRACE: mangle:PREROUTING:policy:1 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
06:54:31 [227560.994646] TRACE: nat:PREROUTING:policy:1 IN=br0 OUT= PHYSIN=rtl0 MAC=00:0c:29:a4:a5:b2:00:0c:29:77:f2:bd:08:00 SRC=192.168.45.2 DST=192.168.45.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TY
06:54:31 [227560.994691] [e-f-F]  IN=rtl0 OUT=vmnet1 MAC source = 00:0c:29:77:f2:bd MAC dest = 00:0c:29:a4:a5:b2 proto = 0x0800
...
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux