Hi everybody, I'm trying to add some layer 3 functionalities to a Linux-based layer 2 bridge. The goal is to enumerate the bridges between two endpoints using the traceroute command. As the Linux bridge code routes frames at the ethernet level, the IP TTL is not decremented and no ICMP Time Exceeded reply is sent, making the bridge transparent. I experimented with iptables and found out that I can decrement the TTL in the PREROUTING chain (mangle table) with iptables -t mangle -A PREROUTING -j TTL --ttl-dec 1 To generate an ICMP Time Exceeded reply when the TTL reaches zero, I tried the REJECT target in the FORWARD chain (filter table). The REJECT target doesn't support ICMP Time Exceeded, but it was pretty straightforward to fix this. Adding iptables -t filter -A FORWARD -m ttl --ttl-eq 0 -j REJECT --reject-with icmp-time-exceeded the bridges show up in the traceroute output. Why doesn't REJECT support ICMP Time Exceeded ? Is there a good reason, or is it just that nobody has needed it yet ? Should I submit a patch (Linux kernel netfilter + userspace iptables) ? I know that my application breaks the OSI model and creates some kind of hybrid "layer 2.5" device. I'm open to suggestions regarding a better way to implement bridges enumeration between two ethernet hosts, but using the traceroute command is a customer requirement which could only be changed with strong valid reasons. Best regards, -- Laurent Pinchart CSE Semaphore Belgium Chaussée de Bruxelles, 732A B-1410 Waterloo Belgium T +32 (2) 387 42 59 F +32 (2) 387 42 75
Attachment:
pgprwZB6v45Wz.pgp
Description: PGP signature
