iptables source help

iptables source help

[Ozgur AKAN]

Why is ntohl() is used. "network byte order to host byte order" what 
does this mean?

thanks,
Ozgur AKAN

Re: iptables source help

[Emmanuel Guiton]

Hi!

Depending on their architecture, machines do not read data in the same 
order (i.e. when reading a byte, do you start with the most or less 
significant bit?).
The function ntohl (for long words or ntohs for short words) will always 
translate the data so that the host can read it in the right order.
The function htonl (or htons) translate the data o that it is 
transmitted in the right order on the wire.

    Emmanuel

Ozgur AKAN wrote:

> Why is ntohl() is used. "network byte order to host byte order" what 
> does this mean?
>
> thanks,
> Ozgur AKAN
>

input/output interface on a bridging firewall

[Eicke Friedrich]

Hi all,

I've been using a bridging firewall running 2.4.x kernel series. A 
couple of days ago I started to migrate to kernel 2.6.3. Since you can 
enable netfilter for a bridge directly in kernelconfig there is no 
need to get the ebtables patches anymore. Some POM-ng patches were 
applied (CONNMARK) and kernel compilation went well.

One thing does _not_ work anymore: I can't match the incoming (-i 
ethX) or outgoing (-o ethX) interface anymore if the interface is a 
port of a bridge interface (brX). I've to match the outgoing interface 
for -j CLASSIFY to sort packets in htb classes. Using kernel 2.4.x 
this was possible. Any hints or comments for me?

Thanks in advance,
Eicke.

Re: input/output interface on a bridging firewall

[Cedric Blancher]

Le lun 08/03/2004 à 17:43, Eicke Friedrich a écrit :
> One thing does _not_ work anymore: I can't match the incoming (-i 
> ethX) or outgoing (-o ethX) interface anymore if the interface is a 
> port of a bridge interface (brX). I've to match the outgoing interface 
> for -j CLASSIFY to sort packets in htb classes. Using kernel 2.4.x 
> this was possible. Any hints or comments for me?

<joke>
Yep, RTFM :)))
</joke>

Since 2.5.$idontrememberwhichone, output interface for a bridge is
matched as br0 as it should be. To match physical interface that is part
of the bridge, you have to use physdev match. From iptables help page :

physdev v1.2.9 options:
 --physdev-in [!] input name[+]         bridge port name ([+] for
wildcard)
 --physdev-out [!] output name[+]       bridge port name ([+] for
wildcard)
 [!] --physdev-is-in                    arrived on a bridge device
 [!] --physdev-is-out                   will leave on a bridge device
 [!] --physdev-is-bridged               it's a bridged packet

So -i eth0 becomes -m physdev --physdev-in eth0 and -o eth1 becomes -m
physdev --physdev-out eth1.

The three last options allows one to match packets that are routed from
or to a bridge and packets that will get bridged.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: iptables source help

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 695 bytes --]

On Mon, Mar 08, 2004 at 04:05:47PM +0200, Ozgur AKAN wrote:
> Why is ntohl() is used. "network byte order to host byte order" what 
> does this mean?

I recommend reading some basic book about networking in general.
networks are always big endian, host byte order depends on architecture.

> thanks,
> Ozgur AKAN

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]