Sorry, I sent this in HTML first by mistake... needed to switch to a block font to do the ASCII art. On 6/13/07, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote: > Do you really have that many interfaces, or are you just skipping a
bunch of interfaces?
Oh, I'm skipping a bunch... 50 and 51 just denote the interfaces we always use for the bridge.
Does this rule ever match any packets?
Not in my current setup, but I think it's for an alternate setup, in any case, I'm not worried about it right now.
Baring in mind that (by default) Linux will (primarily) use one interface on a subnet unless you do something to alter it. To this end I think you will need to match based on Dan's IP be it source or destination.
Hrmm, that _might_ be it but I'm not convinced. There are three conditions which need to be satisfied: - bridge traffic is bridged w/o interruption - all traffic from localhost uses eth0 - traffic from one port on the localhost uses br0 instead of eth0
I'm still not convinced that you need to mark the packets. In my opinion it is so much easier to match the source or destination IP.
Ugg, I hate ASCII art, but here go my Picasso skills... ______ ______ _____ | |-->--1-->--| |-->--2-->--| | | Jack | | Jose | | Dan | |______| |______|--<--3--<--|_____| | | | | 5 4 | | V V This makes you appreciate whiteboards on a whole new level. Assuming eth0 and br0 are on the same network, this is what I'm seeing: 1 - packets from Jack flow in on the bridge (eth50). 2 - packets from localhost go out on the bridge (eth51). 3 - response is received from Dan on the bridge (eth51). 4 - packets from localhost match both the eth0 and br0 networks, eth0 takes the cake and the packet is sent out the wrong interface. 5 - all other traffic. All packets from me, destined to that network should use eth0, with the exception of packets like "4" (as described above). Those packets should use br0. We've tried modifying our software to force an interface but it looks like Java under Linux is incapable - the packets seem to hit the routing rules anyway. I only know the source port of these packets; SRC IP is going to be one of mine, DST IP is unknown (except to the software) and DST port is random (per connection).
Ok, I feel like I'm missing your config. Will you please list out your interfaces (logical and physical) as well as subnets. Granted the subnets can be a.b.c.x, d.e.f.x, g.h.i.x, etc.
Sure - JACK - IP: 37.2.18.205 / 255.255.254.0 GW: 37.2.18.1 / 255.255.254.0 Sends 1, expects 4 in diagram above. DAN - IP: 72.2.2.80 / 255.255.254.0 GW: 72.2.2.1 / 255.255.254.0 Receives 2, Sends 3. JOSE - BR0: 72.2.2.92 / 255.255.254.0 GW: 72.2.2.1 / 255.255.254.0 Receives 1, Sends 2, Receives 3. ETH0: 72.2.4.109 / 255.255.254.0 GW: 72.2.4.1 / 255.255.254.0 Sends 4 In this scenario, ETH0 in Jose is on a different subnet. It is feasible that it is on the same subnet as DAN/BR0. Jose's IPTables: [root@SES network-scripts]# iptables -L -t nat Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 72.2.2.80 tcp dpt:5000 to: 72.2.2.92:2037 DNAT tcp -- 72.2.2.80 anywhere tcp spt:5000 to:72.2.2.92 ***** All other chains are empty ***** Jose's routing tables: You'll find that these are pretty-much the default routing tables: [root@SES network-scripts]# ip route list table local local 72.2.4.109 dev eth0 proto kernel scope host src 72.2.4.109 local 72.2.2.92 dev br0 proto kernel scope host src 72.2.2.92 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 72.2.4.0 dev eth0 proto kernel scope link src 72.2.4.109 broadcast 72.2.5.255 dev eth0 proto kernel scope link src 72.2.4.109 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 broadcast 72.2.2.0 dev br0 proto kernel scope link src 72.2.2.92 broadcast 72.2.3.255 dev br0 proto kernel scope link src 72.2.2.92 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 [root@JOSE network-scripts]# ip route list table main 72.2.2.80 via 72.2.2.92 dev br0 72.2.4.0/23 dev eth0 proto kernel scope link src 72.2.4.109 72.2.2.0/23 dev br0 proto kernel scope link src 72.2.2.92 169.254.0.0/16 dev eth0 scope link default via 72.2.4.1 dev eth0 OR in the old-fashion style: [root@JOSE network-scripts]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 72.2.4.0 * 255.255.254.0 U 0 0 0 eth0 72.2.2.0 * 255.255.254.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default 72.2.4.1 0.0.0.0 UG 0 0 0 eth0 [root@JOSE network-scripts]# ip route list table default [root@JOSE network-scripts]#
You will probably have to use custom routing tables including the tables including link addresses.
I'm not sure what this means... Since I want all traffic to go to eth0, except for the traffic with a given source port, how are the routing tables going to help me? I did notice one interesting thing last night... My Cisco RV042 that's used as a router in the middle is sending a lot of Gratuitous ARP packets for an interface which itself owns... I'm guessing this is a firmware bug of some kind and probably wouldn't affect my setup anyway so I'm going to ignore it. - Gareth