Re: packet flow - ebtables broute DROP target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hey,

how are u checking the table? make sure u are looking at the NAT table and not input or forwarding.

Regards,
--
Payam Tarverdyan Chychi
Network Engineer

Sent from my iPhone

On 2010-07-16, at 10:05 AM, Aijaz Baig <aijazbaig1@xxxxxxxxx> wrote:

> Hello Bart and Jan,
> 
> Sorry for the belated reply. Im in India so the time gaps makes it bad.
> Thank you for your great inputs. I would surely consider them now. Thank
> you Jan for letting us know you guys are writing a book on netfilter.
> Lord knows we need it. More and more companies across the globe are
> using linux more and more now. This would be of immense help to
> academicians and professionals alike.
> 
> Ive got 2 linux boxes, one virtual and one real. The real one has a eth0
> interface which connects to my LAN. It's vmnet8 interface is behind the
> virtual linux box's eth0 interface i.e. the latter is the former's
> gateway. The virtual box has 3 interfaces eth0, eth1 and eth2. Out of
> which eth0 and eth1 are bridged and enslaved to br0. eth2 connects to
> the same LAN as does my real box's eth0. I have added a static route for
> a PC in my outer LAN to force the traffic to go through vmnet8.
> 
> Now when I DROP packets for the target PC in the broute table, the
> problem that I described above happens. I did what was told to be done
> as shown the basic brouter example. But still..zilch..nothing seemed to
> be working. 
> 
> To be specific, I added a rule:
> ebtables -t broute -A BROUTING -p 0x806 --d$MAC_OF_eth0 -j DROP 
> to allow the arp replies to arrive on eth0 and not on br0. But even
> after that it didn't work. Even the packet count for this new rule was
> zero all the time so I guess something was suspicious here.
> 
> Could someone, bart maybe, let me know what it means by his quote: "Your
> traffic is probably dropped by the networking code because the 
> destination MAC address differs from that of the bridge port."
> 
> May be I don't really know ARP works to infer how such a rule would be
> helpful in the first place.
> 
> I am keen to hear frm you guys and once again, thank you for your input
> and such wonderful open source software that would put the big guys out
> there to shame.
> 
> Regards,
> Aijaz
> 
> On Thu, 2010-07-15 at 21:26 +0200, Bart De Schuymer wrote: 
>> Jan Engelhardt schreef:
>>> On Thursday 2010-07-15 16:02, Aijaz Baig wrote:
>>> 
>>>> unfamiliar with it, here are the links to the same:
>>>> http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html for the document
>>>> and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for the
>>>> picture.
>>>> 
>>> 
>>> Use http://jengelh.medozas.de/images/nf-packet-flow.png
>>> 
>>> 
>>>> Im trying to understand what happens to a packet which is DROPped in the
>>>> BROUTING chain of the broute table. If I have understood correctly from
>>>> the document above, it goes to L3 where the routing subsystem can decide
>>>> where to send the packet to depending on L3 information in it isn't it?
>>>> 
>>> 
>>> In net/core/dev.c, the packet is passed to all "taps". Taps include 
>>> raw sockets (think tcpdump), but also bridge and the IPvX layers 
>>> themselves. Each of them basically gets a copy, thus it is important to 
>>> not have an address on the ethernet interface (so that the IPvX tap 
>>> ignores it). Only the bridge interface should have an address, because 
>>> the bridge code will pass it to IPvX on its own.
>>> 
>>> 
>> When using a brouter, you actually assign IP addresses to the bridge 
>> ports (different subnets) instead of the virtual bridge interface 
>> itself. IP traffic is then DROPped in the BROUTE chain, so it's not 
>> bridged. See http://ebtables.sourceforge.net/examples/real.html#example1 
>> for an example usage.
>> 
>> cheers,
>> Bart
>> 
> 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux