ebtables v/s arptables

ebtables v/s arptables

[pankaj jain]

Hi,
I am trying to reply the arp requests in which the destination IP is
of my machine but I have not plumbed the IP on any physical interface
I am able to achieve this with both ebtables and arptables.
I want to know the pros and cons of using any of the two (arptables ,
ebtables) tools.

-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

[pankaj jain]

Hi Bart,
I am quite new to these concepts and tools,
It would be great if you could please elaborate the statement and
throw some light on arptables also.
I believe for ebtables to work , we have to create a bridge interface also.
without creating a bridge I was not able to respond to arp requests
for IPs which are with me but are not plumbed on any interface.
Does ip_forwarding have any impact on arptables and ebtables.

Regards
Pankaj jain

On 6/13/07, Bart De Schuymer <bdschuym@pandora.be> wrote:
> Op wo, 13-06-2007 te 13:50 +0530, schreef pankaj jain:
> > Hi,
> > I am trying to reply the arp requests in which the destination IP is
> > of my machine but I have not plumbed the IP on any physical interface
> > I am able to achieve this with both ebtables and arptables.
> > I want to know the pros and cons of using any of the two (arptables ,
> > ebtables) tools.
>
> Using ebtables should be faster because the packet doesn't need to
> traverse through the network stack.
>
> cheers,
> Bart
>
>
>


-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

[Bart De Schuymer]

Op do, 14-06-2007 te 13:55 +0530, schreef pankaj jain:
> Hi Bart,
> I am quite new to these concepts and tools,
> It would be great if you could please elaborate the statement and
> throw some light on arptables also.
> I believe for ebtables to work , we have to create a bridge interface also.
> without creating a bridge I was not able to respond to arp requests
> for IPs which are with me but are not plumbed on any interface.

That's correct. If you don't need a bridge (you're not forwarding based
on MAC addresses) you should probably not use one. It's possible to get
packets sent to ebtables on a device with only one network interface,
though. See http://ebtables.sourceforge.net/examples.html#ex_nobridge

> Does ip_forwarding have any impact on arptables and ebtables.

No.

cheers,
Bart

Re: ebtables v/s arptables

[pankaj jain]

Hi Bart,
Do I have to create a bridge to use "arpreply --arpreply-mac <MAC
address>" as a target.
I am asking this because I was not getting arp responses from the
machine where I inserted the ebtable rule but did not create a bridge.

Regards
Pankaj

On 6/14/07, Bart De Schuymer <bdschuym@pandora.be> wrote:
> Op do, 14-06-2007 te 13:55 +0530, schreef pankaj jain:
> > Hi Bart,
> > I am quite new to these concepts and tools,
> > It would be great if you could please elaborate the statement and
> > throw some light on arptables also.
> > I believe for ebtables to work , we have to create a bridge interface also.
> > without creating a bridge I was not able to respond to arp requests
> > for IPs which are with me but are not plumbed on any interface.
>
> That's correct. If you don't need a bridge (you're not forwarding based
> on MAC addresses) you should probably not use one. It's possible to get
> packets sent to ebtables on a device with only one network interface,
> though. See http://ebtables.sourceforge.net/examples.html#ex_nobridge
>
> > Does ip_forwarding have any impact on arptables and ebtables.
>
> No.
>
> cheers,
> Bart
>
>
>


-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

[Jan Engelhardt]

On Jun 15 2007 10:51, pankaj jain wrote:
>
> Hi Bart,
> Do I have to create a bridge to use "arpreply --arpreply-mac <MAC
> address>" as a target.
> I am asking this because I was not getting arp responses from the
> machine where I inserted the ebtable rule but did not create a bridge.

Of course. Ebtables works ONLY with bridges. So you create
your regular eth0 or whatever, give it its ip address, and
create a br0 device that binds eth0, but do not give br0
any address. (That's how one preferably does it if you only
need arpreply.)

And don't top post.


	Jan
-- 

Re: ebtables v/s arptables

[pankaj jain]

Hi Jan,
I am sorry I did not get the meaning of last line "And don't top post."

I would also want to know is there any theoretical limit on number of
iptable , ebtable, arptable rules we can set?

Regards
Pankaj Jain

On 6/15/07, Jan Engelhardt <jengelh@computergmbh.de> wrote:
>
> On Jun 15 2007 10:51, pankaj jain wrote:
> >
> > Hi Bart,
> > Do I have to create a bridge to use "arpreply --arpreply-mac <MAC
> > address>" as a target.
> > I am asking this because I was not getting arp responses from the
> > machine where I inserted the ebtable rule but did not create a bridge.
>
> Of course. Ebtables works ONLY with bridges. So you create
> your regular eth0 or whatever, give it its ip address, and
> create a br0 device that binds eth0, but do not give br0
> any address. (That's how one preferably does it if you only
> need arpreply.)
>
> And don't top post.
>
>
>         Jan
> --
>


-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

["C. Bergström"]

pankaj jain wrote:
>
> On 6/15/07, Jan Engelhardt <jengelh@computergmbh.de> wrote:
>>
>> On Jun 15 2007 10:51, pankaj jain wrote:
>> >
>> > Hi Bart,
>> > Do I have to create a bridge to use "arpreply --arpreply-mac <MAC
>> > address>" as a target.
>> > I am asking this because I was not getting arp responses from the
>> > machine where I inserted the ebtable rule but did not create a bridge.
>>
>> Of course. Ebtables works ONLY with bridges. So you create
>> your regular eth0 or whatever, give it its ip address, and
>> create a br0 device that binds eth0, but do not give br0
>> any address. (That's how one preferably does it if you only
>> need arpreply.)
>>
>> And don't top post.
>>
>>
> Hi Jan,
> I am sorry I did not get the meaning of last line "And don't top post."
>
> I would also want to know is there any theoretical limit on number of
> iptable , ebtable, arptable rules we can set?
>
I'm just a lurker, but this link may help.

http://linux.sgms-centre.com/misc/netiquette.php#toppost

Good luck

./C

Re: ebtables v/s arptables

[pankaj jain]

On 6/15/07, "C. Bergström" <cbergstrom@netsyncro.com> wrote:
> pankaj jain wrote:
> >
> > On 6/15/07, Jan Engelhardt <jengelh@computergmbh.de> wrote:
> >>
> >> On Jun 15 2007 10:51, pankaj jain wrote:
> >> >
> >> > Hi Bart,
> >> > Do I have to create a bridge to use "arpreply --arpreply-mac <MAC
> >> > address>" as a target.
> >> > I am asking this because I was not getting arp responses from the
> >> > machine where I inserted the ebtable rule but did not create a bridge.
> >>
> >> Of course. Ebtables works ONLY with bridges. So you create
> >> your regular eth0 or whatever, give it its ip address, and
> >> create a br0 device that binds eth0, but do not give br0
> >> any address. (That's how one preferably does it if you only
> >> need arpreply.)
> >>
> >> And don't top post.
> >>
> >>
> > Hi Jan,
> > I am sorry I did not get the meaning of last line "And don't top post."
> >
> > I would also want to know is there any theoretical limit on number of
> > iptable , ebtable, arptable rules we can set?
> >
> I'm just a lurker, but this link may help.
>
> http://linux.sgms-centre.com/misc/netiquette.php#toppost
>
> Good luck
>
> ./C

Thanks for the Reference.
I think I have got the netiquettes now :)

-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

["C. Bergström"]

pankaj jain wrote:
> On 6/15/07, "C. Bergström" <cbergstrom@netsyncro.com> wrote:
>> pankaj jain wrote:
>> >
<snip />
>> >>
>> > Hi Jan,
>> > I am sorry I did not get the meaning of last line "And don't top
>> post."
>> >
>> > I would also want to know is there any theoretical limit on number of
>> > iptable , ebtable, arptable rules we can set?
>> >
>> I'm just a lurker, but this link may help.
>>
>> http://linux.sgms-centre.com/misc/netiquette.php#toppost
>>
>
> Thanks for the Reference.
> I think I have got the netiquettes now :)
>
Another one converted to the dark side ;)

ok.. I'm back to read-only..

./C

Re: ebtables v/s arptables

[Jan Engelhardt]

On Jun 15 2007 12:11, pankaj jain wrote:
> Hi Jan,
> I am sorry I did not get the meaning of last line "And don't top post."
>
> I would also want to know is there any theoretical limit on number of
> iptable , ebtable, arptable rules we can set?

I was able to add about 320K dummy rules. Might depend on memory.


	Jan
-- 

Re: ebtables v/s arptables

[pankaj jain]

On 6/15/07, Jan Engelhardt <jengelh@computergmbh.de> wrote:
>
> On Jun 15 2007 12:11, pankaj jain wrote:
> > Hi Jan,
> > I am sorry I did not get the meaning of last line "And don't top post."
> >
> > I would also want to know is there any theoretical limit on number of
 > > iptable , ebtable, arptable rules we can set?
>
> I was able to add about 320K dummy rules. Might depend on memory.
>
>
>         Jan
> --
>

HI Jan,
As I was using arptables for responding arp-requests, I did not plumb
the interfaces on my machine.
Now I want to add a gateway from the same subnet, for example:
I am sending arp responses for 203.200.192.24 (sorry if some one has
this IP) using arp tables so I have not plumbed this IP on my
interface
Now I want to add a gateway e.g. 203.200.192.1 in the route table
"ip route add default via  203.200.192.1 dev eth0 table 10"
but when I try this it says
RTNETLINK answers: Network is unreachable

please suggest some solution.
-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

[Jan Engelhardt]

On Jun 18 2007 17:47, pankaj jain wrote:
> Now I want to add a gateway e.g. 203.200.192.1 in the route table
> "ip route add default via  203.200.192.1 dev eth0 table 10"
> but when I try this it says
> RTNETLINK answers: Network is unreachable

You do no thave a route to 203.200.192.1.



	Jan
-- 

Re: ebtables v/s arptables

[pankaj jain]

On 6/20/07, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> You should consider posting your questions in the netfilter user list
> rather than the netfilter developper list because they are user related
> rather than developper related.
>
> pankaj jain a écrit :
> >
> > As I was using arptables for responding arp-requests, I did not plumb
> > the interfaces on my machine.
>
> "Plumb" ? What do you mean ?
>
> > Now I want to add a gateway from the same subnet, for example:
> > I am sending arp responses for 203.200.192.24 (sorry if some one has
> > this IP) using arp tables so I have not plumbed this IP on my
> > interface
>
> Again, what do you mean by "plumb" ?
>
> > Now I want to add a gateway e.g. 203.200.192.1 in the route table
> > "ip route add default via  203.200.192.1 dev eth0 table 10"
> > but when I try this it says
> > RTNETLINK answers: Network is unreachable
>
> You got this error from the route command because a gateway must be
> directly reachable on an interface but there is no direct route to the
> 203.200.192.1 via eth0 in the routing table.
>
> However I do not understand why you want to use an address that does not
> exist as a gateway. Could you explain your goal ?
>
> (You may reply by posting a message on the netfilter user list)
>

Hi
Plumbing means I did not assign the IP 203.200.192.24 to any of my
interfaces, instead I was using arptables to respond the arp requests
for this IP.
The gateway exists on the same subnet but because I did not assign the
IP to any of my interfaces, ip route rejects the gateway add command.
but now I understood that first I had to add the network route for that gateway.
I added the network route to the table 10 but it did not work
I had to add the same route to the main table also to make it work :).

why do I have to add the network route in the main table also ?

The command used are:

TRY - 1
ip route add default via  203.200.192.1 dev eth0 table 10  (did not work)
RESULT -> RTNETLINK answers: Network is unreachable

TRY - 2
ip route add 203.200.192.0/24 dev eth0 table 10
ip route add default via  203.200.192.1 dev eth0 table 10
RESULT -> RTNETLINK answers: Network is unreachable

TRY - 3
ip route add 203.200.192.0/24 dev eth0
ip route add default via  203.200.192.1 dev eth0 table 10
RESULT -> success

does network route of individual tables does not have any effect ??
-- 
Thanks
Pankaj Jain

Re: ebtables v/s arptables

[Petr Pisar]

On 2007-06-20, pankaj jain <jainp1979@gmail.com> wrote:
> On 6/20/07, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Plumbing means I did not assign the IP 203.200.192.24 to any of my
> interfaces, instead I was using arptables to respond the arp requests
> for this IP.
> The gateway exists on the same subnet but because I did not assign the
> IP to any of my interfaces, ip route rejects the gateway add command.
> but now I understood that first I had to add the network route for that gateway.

Or use "dev DEVICE onlink" suffix:

ip route add default via 203.200.192.1 dev eth0 onlink

-- Petr