Sorry, I sent this in HTML first by mistake... needed to switch to a
block font to do the ASCII art.
On 6/13/07, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote:
> Do you really have that many interfaces, or are you just skipping a
bunch of interfaces?
Oh, I'm skipping a bunch... 50 and 51 just denote the interfaces we
always use for the bridge.
Does this rule ever match any packets?
Not in my current setup, but I think it's for an alternate setup, in
any case, I'm not worried about it right now.
Baring in mind that (by default) Linux will (primarily) use one
interface on a subnet unless you do something to alter it. To this end
I think you will need to match based on Dan's IP be it source or
destination.
Hrmm, that _might_ be it but I'm not convinced. There are three
conditions which need to be satisfied:
- bridge traffic is bridged w/o interruption
- all traffic from localhost uses eth0
- traffic from one port on the localhost uses br0 instead of eth0
I'm still not convinced that you need to mark the packets. In my
opinion it is so much easier to match the source or destination IP.
Ugg, I hate ASCII art, but here go my Picasso skills...
______ ______ _____
| |-->--1-->--| |-->--2-->--| |
| Jack | | Jose | | Dan |
|______| |______|--<--3--<--|_____|
| |
| |
5 4
| |
V V
This makes you appreciate whiteboards on a whole new level.
Assuming eth0 and br0 are on the same network, this is what I'm seeing:
1 - packets from Jack flow in on the bridge (eth50).
2 - packets from localhost go out on the bridge (eth51).
3 - response is received from Dan on the bridge (eth51).
4 - packets from localhost match both the eth0 and br0 networks, eth0
takes the cake and the packet is sent out the wrong interface.
5 - all other traffic.
All packets from me, destined to that network should use eth0, with
the exception of packets like "4" (as described above). Those packets
should use br0. We've tried modifying our software to force an
interface but it looks like Java under Linux is incapable - the
packets seem to hit the routing rules anyway. I only know the source
port of these packets; SRC IP is going to be one of mine, DST IP is
unknown (except to the software) and DST port is random (per
connection).
Ok, I feel like I'm missing your config. Will you please list out your
interfaces (logical and physical) as well as subnets. Granted the
subnets can be a.b.c.x, d.e.f.x, g.h.i.x, etc.
Sure -
JACK -
IP: 37.2.18.205 / 255.255.254.0
GW: 37.2.18.1 / 255.255.254.0
Sends 1, expects 4 in diagram above.
DAN -
IP: 72.2.2.80 / 255.255.254.0
GW: 72.2.2.1 / 255.255.254.0
Receives 2, Sends 3.
JOSE -
BR0: 72.2.2.92 / 255.255.254.0
GW: 72.2.2.1 / 255.255.254.0
Receives 1, Sends 2, Receives 3.
ETH0: 72.2.4.109 / 255.255.254.0
GW: 72.2.4.1 / 255.255.254.0
Sends 4
In this scenario, ETH0 in Jose is on a different subnet. It is
feasible that it is on the same subnet as DAN/BR0.
Jose's IPTables:
[root@SES network-scripts]# iptables -L -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 72.2.2.80 tcp
dpt:5000 to: 72.2.2.92:2037
DNAT tcp -- 72.2.2.80 anywhere tcp
spt:5000 to:72.2.2.92
***** All other chains are empty *****
Jose's routing tables:
You'll find that these are pretty-much the default routing tables:
[root@SES network-scripts]# ip route list table local
local 72.2.4.109 dev eth0 proto kernel scope host src 72.2.4.109
local 72.2.2.92 dev br0 proto kernel scope host src 72.2.2.92
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 72.2.4.0 dev eth0 proto kernel scope link src 72.2.4.109
broadcast 72.2.5.255 dev eth0 proto kernel scope link src 72.2.4.109
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 72.2.2.0 dev br0 proto kernel scope link src 72.2.2.92
broadcast 72.2.3.255 dev br0 proto kernel scope link src 72.2.2.92
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
[root@JOSE network-scripts]# ip route list table main
72.2.2.80 via 72.2.2.92 dev br0
72.2.4.0/23 dev eth0 proto kernel scope link src 72.2.4.109
72.2.2.0/23 dev br0 proto kernel scope link src 72.2.2.92
169.254.0.0/16 dev eth0 scope link
default via 72.2.4.1 dev eth0
OR in the old-fashion style:
[root@JOSE network-scripts]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
72.2.4.0 * 255.255.254.0 U 0 0 0 eth0
72.2.2.0 * 255.255.254.0 U 0 0 0 br0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 72.2.4.1 0.0.0.0 UG 0 0 0 eth0
[root@JOSE network-scripts]# ip route list table default
[root@JOSE network-scripts]#
You will probably have to use custom routing tables including the tables
including link addresses.
I'm not sure what this means... Since I want all traffic to go to
eth0, except for the traffic with a given source port, how are the
routing tables going to help me?
I did notice one interesting thing last night... My Cisco RV042
that's used as a router in the middle is sending a lot of Gratuitous
ARP packets for an interface which itself owns... I'm guessing this is
a firmware bug of some kind and probably wouldn't affect my setup
anyway so I'm going to ignore it.
- Gareth
