On Tue, Dec 2, 2008 at 2:37 PM, Jonothan Kane <jonothan.kane@xxxxxxxxx> wrote: > Hey all; > > I've got some old gear on a network with a couple of Linux transparent > bridge firewalls protecting the network. > For the regular Ethernet II frames the filtering in the netfilter > filter table FORWARD chain works well. > > All old style 802.3 frames hit the ebtables tables but not the > netfilter filter table FORWARD chain. > The 802.3 frames are carrying IP datagrams. Is there a trick to get > them into the FORWARD chain ? > preferably without changing the bridging firewalls to routing firewalls. > > Thanks for any info. > > J Kane. > Well, I did some poking around in the bridging code with some sk_buff printks. Those 802.3 frames carrying IPv4 payload are coming in and being classified with sbk->protocol type of 802.2 (ETH_P_802_2) and the skb->nh.raw pointer is set to the start of the LLC portion of the datalink header instead of the start of the IPv4 payload. ( off by 8 bytes ). The IPv4 payload never seems to get processed by the netfilter filter table rules. I thought that the IPv4 payload would get detected and processed by netfilter correctly. Anyone else have any experience getting 802.3 frames carrying IPv4 payload through netfilter ? J Kane. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
