Hello,
I am using 2.6.28.8 kernel and ebtables version v2.0.9-1. I am trying to configure ebtables to filter (DROP) all the frames from LAN to a WAN PC with specific destination MAC address.
My test setup is as below:
LAN_PC <--> eth0--My_bridge--eth1 <--> WAN_PC(MAC addr: 00:0b:db:da:34:0c)
My_bridge with eth0 and eth1 as its ports is configured as below:
/# ifconfig eth0 0.0.0.0 up
/# ifconfig eth1 0.0.0.0 up
/# brctl addbr test
/# brctl addif test eth0
/# brctl addif test eth1
/# ifconfig test 0.0.0.0 up
I have configured below ebtables rule to filter all the packets from LAN_PC to WAN_PC with MAC address 00:0b:db:da:34:0c:
/# ebtables -t filter -A FORWARD -d 00:0b:db:da:34:0c -i eth0 -o eth1 -j DROP
With this configuration, i tried PING from LAN_PC (192.168.10.100) to WAN_PC (192.168.10.200) and the PING is successful; the configured ebtables rule could not DROP ICMP echo requests from LAN to WAN PC.
But at the same time, this rule able to DROP UDP traffic from LAN_PC to WAN_PC.
What I observed in PING case is the LAN PC is able to resolve IP of WAN through ARP and then the "ICMP echo request" from LAN to WAN doesn't enter ebtables match API ebt_do_table() in net/bridge/netfilter/ebtables.c
Could any one help in understanding why the PING traffic is not DROPped as configured and doesn't enter ebt_do_table() in net/bridge/netfilter/ebtables.c ???
Thanks in advance.
Regards,
Veerasena.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
