Re: packet flow - ebtables broute DROP target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-07-15 16:02, Aijaz Baig wrote:
>unfamiliar with it, here are the links to the same:
>http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html for the document
>and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for the
>picture.

Use http://jengelh.medozas.de/images/nf-packet-flow.png

>Im trying to understand what happens to a packet which is DROPped in the
>BROUTING chain of the broute table. If I have understood correctly from
>the document above, it goes to L3 where the routing subsystem can decide
>where to send the packet to depending on L3 information in it isn't it?

In net/core/dev.c, the packet is passed to all "taps". Taps include 
raw sockets (think tcpdump), but also bridge and the IPvX layers 
themselves. Each of them basically gets a copy, thus it is important to 
not have an address on the ethernet interface (so that the IPvX tap 
ignores it). Only the bridge interface should have an address, because 
the bridge code will pass it to IPvX on its own.

(You probably knew this, but this is a nice question plus answer for our 
planned book(s).)

So considering only bridge.c, the brouting chain can then be used to 
either move the packet along the blue L2 path or the green L3 path.

If a packet remains travelling in the blue domain (i.e. it is bridged), 
the packet _must_ have the bridge's own dst mac address to go "upwards" 
at the "bridging decision" (sort of Ethernet routing, if you want to 
call it so) circle to reach IPvX routing.

>And then after that I checked the packet counters for both the rules
>viz. the one in the BROUTING chain and the one in the PREROUTING chain
>of the mangle table. The packet did hit the first rule and it is
>dropped. I cannot see it on br0, the bridge interface too. But the
>packet count in the latter rule is 0 which means that the packet didnt
>arrive in the mangle table's

To be eligible for green traversal as a result of (bridge check), the 
packet of course needs to be one of the supported protocols.
Sending STP into the green domain has no bearing. IPX packets will be 
conntracked, but of course you won't see them in iptables or ip6tables 
(since they are not IPv4/IPv6, naturally).
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux