Re: brouting different VLANs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I didn't set up a bridge-firewall for some time, but...

1. When you "drop" BROUTING chain, you are telling to linux kernel
that the "packet forward" is only possible by IP routing. It's how to
disable the bridge for a given condition (your firewall rule). So, I
don't understand the problem with the ARP.

2. But, your first rules are "blocking" IP routing.
I do not understand why these rules:
ebtables-A FORWARD -i bond0.10 -j DROP
ebtables-A FORWARD -i bond0.20 -j DROP

"I used something like this to block transparently - thats the main
purpose of a bridge-firewall".

3. It would be simpler and more logical to work with two different subnets.

I found very interesting your logic, but it is something that I avoid.
IMHO: In this way you are very exposed with ARP problems.


2013/3/4 Dovydas Sankauskas <laisve@xxxxxxxxx>:
> Hi,
>
> If I broute all packets (including ARP) then I get the following results:
>
> 1. Customer1 sends echo-request from 10.0.0.10 to 8.8.8.8.
> 2. Linux router receives this ping on eth0 which handles it to bond0
> which recognizes vlan10 tag and handles it to bond0.10 which broutes
> it to br0.
> 3. Then router sends arp who-has with customer1 MAC address from br0
> interface which handles it to both bridge ports bond0.10 and bond0.20
> which tags it with respective vlan tags and handles it to bond0 which
> handles it to eth0 which sends it out on the wire.
> 4. Customer replies with arp reply is-at with his MAC address.
> 5. Linux router receives this arp reply on eth0 which handles it to
> bond0 which recognizes vlan10 tag and handles it to bond0.10. However
> my arp reply doesn't go up to br0 from here.
>
> After I add this rule:
> ebtables -t broute -A BROUTING -p ! arp -i bond0.10 -j DROP
>
> Now arp reply goes up to br0 and I can see customer1 MAC in ip
> neighbor table. Now internet works fine.
>
> You say my config is something unusual? After a few days of reading
> manuals and then trial and error this is how I've managed to connect
> customer1 to the internet.
>
>
>
> --
> Dovydas Sankauskas
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux