В Вто, 29/06/2010 в 09:57 -0500, Grant Taylor пишет:
> On 06/29/10 09:29, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË wrote:
> > Linux box runs some services and have 3 interfaces, 2 of them are
> > bridged to br0 and one is left for separate local segment. So it is a
> > router between br0 and eth2 and a bridge between eth0, eth1.
>
> Will you please clarify what interface the Zyxel bridge is connected to?
> (I'm guessing that it's connected to either eth0 or eth1, but I'd
> like some clarification.)
>
> What is connected to the other two interfaces?
+-- eth0: modem
br0 --+
+-- eth1: local network
eth2: network of public access points
> > This is brctl showmacs, right?
>
> I don't know the command off the top of my head, but I know there is a
> command to have the bridge show what MAC addresses are associated with
> what bridge ports.
>
> > So, this is exactly the same logic that switches use, right?
>
> Should be, yes.
>
> > Can you confirm that if MAC (frame with source MAC) pops up on port
> > different from the one it was seen previous time then the port for
> > that MAC get updated?
>
> Should be, yes.
If so, the linux bridge should not be the point of problem.
> > What then "brctl setageing" for?
>
> That should set the aging / expire timer for MAC addresses that have not
> been seen in a while. (How long the MAC has to be quite before it is
> flooded again.)
So this is to remove MACs that were not poped up for long to just not
waste momory.
> > It may happen that rebooting the modems brings port link down and the
> > bridge may clear the MAC-port table on that port. This is similar to
> > what Zyxel support told me.
>
> Agreed. See my previous reply about a way to test this.
I'll consider.
> > In my case on moved box I'm unable to make connections or even ping.
>
> This is contrary to how every Linux bridge that I have used ever
> behaved. I'm thinking that the Zyxel is at least part of the problem.
> That being said, it is very unlikely but there could be some sort of
> weird interaction between the Zyxel and Linux bridging that combined is
> causing a problem.
This is quite low probability.
> > Besides that it is a server, iptables is used to restrict access for
> > separate local segment at eth2 (allow access to Internet and not to
> > local net). Ebtables is empty now, but I wanted to be able to filter
> > bridge traffic if that matters someday.
>
> Remember that it is possible for IPTables to filter bridged traffic.
> (It depends if an option is enabled in the kernel.) So IPTables could
> be interfering with out you knowing it.
I know that. But some kind of matches in newer kernels are available
only in ebtables, like --phys-dev-[in|out]
> Will you please provide the output of "iptables-save" (sanitized if needed).
All rules have either "-i eth2" or "-o eth2". eth2 is public access
points network that should be restricted. br0(eth0: modem, eth1: local
network for this building): local network. Default policy is accept, so
there is no rules to restrict bridged traffic.
--
Покотиленко Костик <casper@xxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
