Re: packet flow - ebtables broute DROP target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Bart and Jan,

Sorry for the belated reply. Im in India so the time gaps makes it bad.
Thank you for your great inputs. I would surely consider them now. Thank
you Jan for letting us know you guys are writing a book on netfilter.
Lord knows we need it. More and more companies across the globe are
using linux more and more now. This would be of immense help to
academicians and professionals alike.

Ive got 2 linux boxes, one virtual and one real. The real one has a eth0
interface which connects to my LAN. It's vmnet8 interface is behind the
virtual linux box's eth0 interface i.e. the latter is the former's
gateway. The virtual box has 3 interfaces eth0, eth1 and eth2. Out of
which eth0 and eth1 are bridged and enslaved to br0. eth2 connects to
the same LAN as does my real box's eth0. I have added a static route for
a PC in my outer LAN to force the traffic to go through vmnet8.

Now when I DROP packets for the target PC in the broute table, the
problem that I described above happens. I did what was told to be done
as shown the basic brouter example. But still..zilch..nothing seemed to
be working. 

To be specific, I added a rule:
ebtables -t broute -A BROUTING -p 0x806 --d$MAC_OF_eth0 -j DROP 
to allow the arp replies to arrive on eth0 and not on br0. But even
after that it didn't work. Even the packet count for this new rule was
zero all the time so I guess something was suspicious here.

Could someone, bart maybe, let me know what it means by his quote: "Your
traffic is probably dropped by the networking code because the 
destination MAC address differs from that of the bridge port."

May be I don't really know ARP works to infer how such a rule would be
helpful in the first place.

I am keen to hear frm you guys and once again, thank you for your input
and such wonderful open source software that would put the big guys out
there to shame.

Regards,
Aijaz

On Thu, 2010-07-15 at 21:26 +0200, Bart De Schuymer wrote: 
> Jan Engelhardt schreef:
> > On Thursday 2010-07-15 16:02, Aijaz Baig wrote:
> >   
> >> unfamiliar with it, here are the links to the same:
> >> http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html for the document
> >> and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for the
> >> picture.
> >>     
> >
> > Use http://jengelh.medozas.de/images/nf-packet-flow.png
> >
> >   
> >> Im trying to understand what happens to a packet which is DROPped in the
> >> BROUTING chain of the broute table. If I have understood correctly from
> >> the document above, it goes to L3 where the routing subsystem can decide
> >> where to send the packet to depending on L3 information in it isn't it?
> >>     
> >
> > In net/core/dev.c, the packet is passed to all "taps". Taps include 
> > raw sockets (think tcpdump), but also bridge and the IPvX layers 
> > themselves. Each of them basically gets a copy, thus it is important to 
> > not have an address on the ethernet interface (so that the IPvX tap 
> > ignores it). Only the bridge interface should have an address, because 
> > the bridge code will pass it to IPvX on its own.
> >
> >   
> When using a brouter, you actually assign IP addresses to the bridge 
> ports (different subnets) instead of the virtual bridge interface 
> itself. IP traffic is then DROPped in the BROUTE chain, so it's not 
> bridged. See http://ebtables.sourceforge.net/examples/real.html#example1 
> for an example usage.
> 
> cheers,
> Bart
> 




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux