On Sat, Dec 5, 2015 at 12:30 PM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > > Hello, > > Oliver Graute a écrit : > > > > I try to mark some frames with ebtables on MAC Layer to pass these mark to > > iptables network layer. > > > > I build up a bridge interface br0, cleared all ebtables and iptables tables > > as preparation. Then I try something like this: > > > > ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- > > mark-set 0xffff --mark-target ACCEPT > > ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW > > iptables -t mangle -A PREROUTING -m mark --mark 0xffff > > What's the use of this rule with no target ? the target should be LOG or ACCEPT. Right now I only need to mark special tagged frames coming from mac layer. > > > > iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level > > info --log-prefix MARKED > > > > i would expect that iptables log show me the marked packages from ebtables. > > But i see no mark 0xffff > > Check the packet flow diagram at > <https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg> thx that helps a lot for my understanding. > > > You can see that if the packet is received on a bridge (blue > background), ebtables/INPUT (blue header) comes after > iptables/PREROUTING (green header). To avoid the iptables/ebtables mix, > you must disable iptables call by bridge-nf : > > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables > > What is your goal ? If you just need to match the source MAC address, > you don't need ebtables. Iptables has the "mac" match. I just tried a "simple" example with "mac" match to understand the ebtables/iptables mix. But the real goal is to mark frames coming from a tagged port with a 3-bit PCP Field. (IEEE 802.1p/ 802.1Q). Later on I want to proceed these marked frames on IP-Layer to set some ToS Bits. How is that done? Best Regards, Oliver On Sat, Dec 5, 2015 at 12:30 PM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > Hello, > > Oliver Graute a écrit : >> >> I try to mark some frames with ebtables on MAC Layer to pass these mark to >> iptables network layer. >> >> I build up a bridge interface br0, cleared all ebtables and iptables tables >> as preparation. Then I try something like this: >> >> ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- >> mark-set 0xffff --mark-target ACCEPT >> ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW >> iptables -t mangle -A PREROUTING -m mark --mark 0xffff > > What's the use of this rule with no target ? > >> iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level >> info --log-prefix MARKED >> >> i would expect that iptables log show me the marked packages from ebtables. >> But i see no mark 0xffff > > Check the packet flow diagram at > <https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg> > > You can see that if the packet is received on a bridge (blue > background), ebtables/INPUT (blue header) comes after > iptables/PREROUTING (green header). To avoid the iptables/ebtables mix, > you must disable iptables call by bridge-nf : > > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables > > What is your goal ? If you just need to match the source MAC address, > you don't need ebtables. Iptables has the "mac" match. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
