bridge

bridge

[Kurt Van Dijck]

Wolfgang,

I'm afraid I don't full understand the problem now.
Promiscuous mode means that PGNs not destined for you
are received also. It is not needed to catch broadcasted
traffic. Sorry for the noise about that.

Based on the 2 programs, I see no advantage in the use of recvmsg(),
since you're not using any of the extra functionality.

So far, use the first program as a reference.
Instead of modifying your source, I'll shortly describe the headlines
that I think I would use.

so:
	int ret, s1, s2;
 	socklen_t len; 
 	struct sockaddr_can src_addr;
 	char buf[128];

	struct sockaddr_can src_addr = {
		.can_family = AF_CAN,
		.can_addr.j1939 = {
			.addr = J1939_NO_ADDR,
			.pgn = J1939_NO_PGN,
			.name = J1939_NO_NAME,
		},
	};

	src_addr.can_ifindex = if_nametoindex("can0");
	dest_addr.can_ifindex = if_nametoindex("can1");

	s1 = socket(PF_CAN, SOCK_DGRAM, CAN_J1939);
	if (s1 < 0)
		perror("...");
	ret = bind(s1, (void *)&src_addr, sizeof(src_addr));
	if (ret < 0)
		perror("...");

	s2 = socket(PF_CAN, SOCK_DGRAM, CAN_J1939);
	if (s2 < 0)
		perror("...");
	/* no bind for s2 yet */

	while (1) {
		len = sizeof(src_addr);
 		ret = recvfrom(s, buf, sizeof(buf), 0, (void *)&src_addr, &len);
 		if (ret < 0)
 			perror ("recvfrom failed");
		/*
		 * OK, we got a PGN, of size 'ret' and originating
		 * from src_addr.can_ifindex, using SA src_addr.can_addr.j1939.addr
		 * and PGN src_addr.can_addr.j1939.pgn
		 *
		 * We need to use this info in s2 to be used as source for this PGN
		 * except for the can_ifindex member, since it's the other ifindex.
		 */

		/* clear the  ifindex */
		src_addr.can_ifindex = 0;
		if (bind(s2, (void *)&src_addr, sizeof(src_addr)) < 0)
			perror("...");

		/* s2 is now ready */
 		if (send(s2, buf, ret, 0)) < 0);
			perror("sendto failed");
	}

since my commits a few days ago, calling bind() with different source addresses is
now possible.

Kind regards,
Kurt

Bridge

[Mario Leone]

Dear users,

I have a GPON fiber home connection that consists in 2 apparatus: 

- Optical network terminal ( Huawei HG8010H)
- My ISP custom firmware router 

The router connects to ONT via WAN port and the traffic is basically ipv4
incapsulated in pppoe session incapsulated in 2 vlan trunk, one for http(s)
one for voip

I want so see the traffic that flows between router and ont so i built a
linux box with 2 ports configurated ad bridge with no ip

ONT ------ eth1[BOX]eth0 ------- Router

The tipical packet that flows had source mac address and destination mac
address of ont and router(depending on the direction) and the rest inside.
I could just put wireshark listening on br0 but I can see only unencrypted
traffic, so I want to do something a little more complicated.

I would intercept traffic on both directions and redirect  it to localhost
proxy with 3 stages:

1) setup ebtables to recognize traffic on http vlan(so all traffic) and
bring it to layer3
2) setup iptables to NAT packet on some ports to be intercepted by my ssl
proxy and leave untouched all other traffic
3) nat traffic back to original destination like it was sent by the router
or vice versa from the server

I failed any attempt to redirect traffic or even log it passing trough the
bridge.
Any help? 

Thanks

R: Bridge

[Mario Leone]

As said here: http://ebtables.netfilter.org/documentation/bridge-nf.html

bridge-nf-call-arptables
bridge-nf-call-iptables
bridge-nf-call-ip6tables

are enabled by default

echo 1 > bridge-nf-filter-vlan-tagged
does nothing

echo 1> bridge-nf-filter-pppoe-tagged
drops the connection

thanks

Re: R: Bridge

[Pablo Neira Ayuso]

On Thu, Feb 09, 2017 at 11:24:49AM +0100, Mario Leone wrote:
> As said here: http://ebtables.netfilter.org/documentation/bridge-nf.html
> 
> bridge-nf-call-arptables
> bridge-nf-call-iptables
> bridge-nf-call-ip6tables
> 
> are enabled by default
> 
> echo 1 > bridge-nf-filter-vlan-tagged
> does nothing
> 
> echo 1> bridge-nf-filter-pppoe-tagged
> drops the connection

What kernel and userspace tooling versions are you using?

Re: R: Bridge

[Mario Leone]

> On Thu, Feb 09, 2017 at 11:24:49AM +0100, Mario Leone wrote:
> > As said here: http://ebtables.netfilter.org/documentation/bridge-nf.html
> > 
> > bridge-nf-call-arptables
> > bridge-nf-call-iptables
> > bridge-nf-call-ip6tables
> > 
> > are enabled by default
> > 
> > echo 1 > bridge-nf-filter-vlan-tagged
> > does nothing
> > 
> > echo 1> bridge-nf-filter-pppoe-tagged
> > drops the connection
> 
> What kernel and userspace tooling versions are you using?

root@zotac:~# uname -r
4.9.0-kali1-amd64
root@zotac:~# ebtables -V
ebtables v2.0.10-4 (December 2011)
root@zotac:~# iptables -V
iptables v1.6.0


tail -n +1 /proc/sys/net/bridge/bridge-nf-*
==> /proc/sys/net/bridge/bridge-nf-call-arptables <==
1

==> /proc/sys/net/bridge/bridge-nf-call-ip6tables <==
1

==> /proc/sys/net/bridge/bridge-nf-call-iptables <==
1

==> /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged <==
0

==> /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged <==
1

==> /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev <==
0


> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Bridge

[Alfredo Rezinovsky]

On 08/02/17 13:36, Mario Leone wrote:
> Dear users,
>
> I have a GPON fiber home connection that consists in 2 apparatus:
>
> - Optical network terminal ( Huawei HG8010H)
> - My ISP custom firmware router
>
> The router connects to ONT via WAN port and the traffic is basically ipv4
> incapsulated in pppoe session incapsulated in 2 vlan trunk, one for http(s)
> one for voip
>
> I want so see the traffic that flows between router and ont so i built a
> linux box with 2 ports configurated ad bridge with no ip
>
> ONT ------ eth1[BOX]eth0 ------- Router
>
> The tipical packet that flows had source mac address and destination mac
> address of ont and router(depending on the direction) and the rest inside.
> I could just put wireshark listening on br0 but I can see only unencrypted
> traffic, so I want to do something a little more complicated.
>
> I would intercept traffic on both directions and redirect  it to localhost
> proxy with 3 stages:
>
> 1) setup ebtables to recognize traffic on http vlan(so all traffic) and
> bring it to layer3
> 2) setup iptables to NAT packet on some ports to be intercepted by my ssl
> proxy and leave untouched all other traffic
> 3) nat traffic back to original destination like it was sent by the router
> or vice versa from the server
>
> I failed any attempt to redirect traffic or even log it passing trough the
> bridge.
> Any help?
>
> Thanks
>
>
# First rule is only an optimization.
ebtables -t broute -A BROUTING -d ${my_bridge_mac} -p ipv4 -j redirect 
--redirect-target DROP

#Those are the rules to bring http traffic to layer 3
ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j 
redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j 
redirect --redirect-target DROP

# Some more may be needed because your vlan configuration.

When in layer 3. the Router must have routes to reach ONT, the Router 
and the IPs behind Router. The router needs an IP to ask for ARP in both 
sides.
The proxy (unless in tproxy mode) needs to have an IP to use al source 
for its packets. Even in tproxy, the proxy needs a source IP to ask NS 
queries.