Fwd: Need guidance in - dropping incoming packets to a interface in a bridged network.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Team,

My device contains 2 ethernet interfaces(eth1 and eth2)  added to
bridge interface(br0)
I am trying to DROP all the packets to eth1 interface based on some
user-condition .
and I am new to netlink programming apis.


I did get past thru :
drv->nf_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
getsockopt(drv->nf_sock,IPPROTO_IP,IPT_SO_GET_INFO,&info,&nf_sock_len)
getsockopt(drv->nf_sock, IPPROTO_IP, IPT_SO_GET_ENTRIES, &entries,&tmp)


now I am struck in finding exact match in those entries , replacing it
with DROP rule and commit the (DROP) rule .
Could you please help me in this ?

Also I tried to get the debug : /tmp/libiptc-so_get_entries.blob file
can you please suggest me (with od / hexdump/.. tool) command to view
the details in that file.


or any other approach to solve ..from here .. ?

More info:

I am using linux kernel 2.6.31 and
iptables 1.4.9.1
ebtables 2.0.6
libnfnetlink-1.0.0
libnl2  libraries


I am confused whether to use socket-based or to include libiptc in my
code to invoke functions.. whichever way would be suitable for my
implementation , could you
please point me in that direction?


Following commands do not work:

iptables -t filter -I INPUT -i eth2 -j DROP (doesn't drop any packets
- checked via tcpdump of eth2 )
iptables -t filter -I FORWARD -i eth2 -j DROP (doesn't drop any
packets - checked via tcpdump of eth2 )

whereas following commands work:

iptables -t filter -I INPUT  -j DROP (does work .. cant see any
packets flowing thru )
iptables -t filter -I FORWARD -j DROP (does work .. cant see any
packets flowing thru)


iptables -t filter -I INPUT -i br0 -j DROP (does work .. cant see any
packets flowing thru )
iptables -t filter -I FORWARD -i br0 -j DROP (does work .. cant see
any packets flowing thru)

I hope bridging is playing a role in dropping the packets here.

Your help will be greatly appreciated .
Thanks in Advance,
Suman.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux