Re: packet flow - ebtables broute DROP target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Aijaz Baig schreef:

Hello Bart and Jan,

Sorry for the belated reply. Im in India so the time gaps makes it bad.
Thank you for your great inputs. I would surely consider them now. Thank
you Jan for letting us know you guys are writing a book on netfilter.
Lord knows we need it. More and more companies across the globe are
using linux more and more now. This would be of immense help to
academicians and professionals alike.

Ive got 2 linux boxes, one virtual and one real. The real one has a eth0
interface which connects to my LAN. It's vmnet8 interface is behind the
virtual linux box's eth0 interface i.e. the latter is the former's
gateway. The virtual box has 3 interfaces eth0, eth1 and eth2. Out of
which eth0 and eth1 are bridged and enslaved to br0. eth2 connects to
the same LAN as does my real box's eth0. I have added a static route for
a PC in my outer LAN to force the traffic to go through vmnet8.

Now when I DROP packets for the target PC in the broute table, the
problem that I described above happens. I did what was told to be done
as shown the basic brouter example. But still..zilch..nothing seemed to
be working. 
To be specific, I added a rule:
ebtables -t broute -A BROUTING -p 0x806 --d$MAC_OF_eth0 -j DROP to allow the arp replies to arrive on eth0 and not on br0. But even 
after that it didn't work. Even the packet count for this new rule was
zero all the time so I guess something was suspicious here.

Could someone, bart maybe, let me know what it means by his quote: "Your
traffic is probably dropped by the networking code because the destination MAC address differs from that of the bridge port." 

May be I don't really know ARP works to infer how such a rule would be
helpful in the first place.
This is explained at the link I gave you. If something is unclear in my description on the website, feel free to let me know. Try it out with the example rules I mention on that site and adapt to your situation from there. In the future, please explicitly list your complete test setup, including a dump of the firewall tables. 

cheers,
Bart


--
Bart De Schuymer
www.artinalgorithms.be

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux