Transparent http filtering VLAN traffic without being a member of tagged VLANs

Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Oguz Yilmaz]

On a bridge setup, I want to filter http traffic transparently through
Squid. br0 bridge is between eth0 and eth1.
In the bridged traffic there are some tagged VLANs.

When I run tcpdump on br0 I see all the traffic from VLANs. At this
point a DNAT (VLAN10Subnet - Any - http => Original - LocalIP -
8080) does not work.

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.0.1:8080


When enabled VLANs by vconfig:

vconfig add br0 26

I see br0.26 interface in ifconfig output.

And DNAT started to working. When I DNAT the traffic into port 8080 on
localhost to Squid, I see that Squid gets the traffic and logs it into
the log file. However, proxying will not happen. Reply can not be
delivered to the original requester. We broke the connection. On the
user side, HTTP traffic is cut.

I think the problem is not having any IP on br0.26 from VLAN10Subnet.
Because the whole C class is divided into subnets of 255.252 having 2
usable IP address and both are used. Do you have any other idea on
identifiying the problem?

If you think the problem is what I see, how can I overcome this? Is it
possible to nat in another way to include vlan information. Marking
maybe?

Best Regards,
Oguz.

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Marek Kierdelewicz]

Hello,

Try to solve each of the problems at a time. One question - does squid
have internet connection on nonbridged interface with dedicated
IP address?

>On a bridge setup, I want to filter http traffic transparently through
>Squid. br0 bridge is between eth0 and eth1.
>In the bridged traffic there are some tagged VLANs.
>When I run tcpdump on br0 I see all the traffic from VLANs. At this
>point a DNAT (VLAN10Subnet - Any - http => Original - LocalIP -
>8080) does not work.

What does `cat /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged` show?
It should be set to 1 if you want tagged traffic to pass iptables. You
can set this value in runtime by issuing:
echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged
or more permamently by adding
net.bridge.bridge-nf-filter-vlan-tagged=1 to /etc/sysctl.conf

Anyway you still need to have the route to client as I wrote below.

>I think the problem is not having any IP on br0.26 from VLAN10Subnet.
>Because the whole C class is divided into subnets of 255.252 having 2
>usable IP address and both are used. Do you have any other idea on
>identifiying the problem?

One thing is missing for sure. Lets assume you have 10.0.0.0/30 subnet
on vlan 26. You should add on your bridge such route:
ip route add 10.0.0.0/30 dev br0.26

This way bridge knows where to send replies to clients (subnet
10.0.0.0/30 available directly on br0.26 interface).

Hope that helps.

Best regards,
Marek Kierdelewicz

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Oguz Yilmaz]

On Wed, Feb 17, 2010 at 10:55 PM, Marek Kierdelewicz <marek@piasta.pl> wrote:
> Hello,
>
> Try to solve each of the problems at a time. One question - does squid
> have internet connection on nonbridged interface with dedicated
> IP address?
>

Sure. Tested.

>>On a bridge setup, I want to filter http traffic transparently through
>>Squid. br0 bridge is between eth0 and eth1.
>>In the bridged traffic there are some tagged VLANs.
>>When I run tcpdump on br0 I see all the traffic from VLANs. At this
>>point a DNAT (VLAN10Subnet - Any - http => Original - LocalIP -
>>8080) does not work.
>
> What does `cat /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged` show?
> It should be set to 1 if you want tagged traffic to pass iptables. You
> can set this value in runtime by issuing:
> echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged
> or more permamently by adding
> net.bridge.bridge-nf-filter-vlan-tagged=1 to /etc/sysctl.conf
>

It is already 1.

> Anyway you still need to have the route to client as I wrote below.
>
>>I think the problem is not having any IP on br0.26 from VLAN10Subnet.
>>Because the whole C class is divided into subnets of 255.252 having 2
>>usable IP address and both are used. Do you have any other idea on
>>identifiying the problem?
>
> One thing is missing for sure. Lets assume you have 10.0.0.0/30 subnet
> on vlan 26. You should add on your bridge such route:
> ip route add 10.0.0.0/30 dev br0.26
>

This may be our problem. However ip route add returns
"SIOCADDRT: No such device"
while I see br0.26 in ifconfig output.

What about routing into not "dev br0.26" but to "dev br0"?

> This way bridge knows where to send replies to clients (subnet
> 10.0.0.0/30 available directly on br0.26 interface).
>
> Hope that helps.
>
> Best regards,
> Marek Kierdelewicz
>

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Marek Kierdelewicz]

Hello,

>This may be our problem. However ip route add returns
>"SIOCADDRT: No such device"
>while I see br0.26 in ifconfig output.

Strange. It should work. Tested on debian lenny:

rt1:/# brctl addbr br0
rt1:/# ip link set up dev br0
rt1:/# vconfig add br0 26
Added VLAN with VID == 26 to IF -:br0:-
rt1:/# ip link set up dev br0.26
rt1:/# ip ro add 10.100.0.0/30 dev br0.26
rt1:/# ip ro sh dev br0.26
10.100.0.0/30  scope link    <- route is there!

Post output of your "ip addr sh" and "ip ro show" and steps you take to
set things up.

>What about routing into not "dev br0.26" but to "dev br0"?

In case of routing on br0 and not br0.26 AFAIK bridge would be sending
replies untagged on native vlan. Maybe there are some ebtables hacks
I don't know about.

Best regards,
Marek Kierdelewicz

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Oguz Yilmaz]

# ifconfig br0
br0       Link encap:Ethernet  HWaddr 00:0E:0C:C4:AA:E7
          inet addr:SOMEIP  Bcast:SOMEBCAST  Mask:255.255.255.252
          inet6 addr: fe80::20e:cff:fec4:aae7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:88539199 errors:0 dropped:0 overruns:0 frame:0
          TX packets:422429 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:457848874 (436.6 MiB)  TX bytes:53152547 (50.6 MiB)


br0.206   Link encap:Ethernet  HWaddr 00:0E:0C:C4:AA:E7
          inet6 addr: fe80::20e:cff:fec4:aae7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:901504 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:545628196 (520.3 MiB)  TX bytes:492 (492.0 b)


# ip link set up dev br0.206

# ip link show | grep br0.206
27: br0.206@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

# route add -net 91.93.179.88 netmask 255.255.255.248 dev br0.206
SIOCADDRT: No such device

# ip ro add 91.93.179.88/29 dev br0.206
RTNETLINK answers: No such device

# ip ro sh dev br0.206
NO OUTPUT


Kernel is Linux 2.6.18 Centos EL5 Kernel.



On Thu, Feb 18, 2010 at 12:36 PM, Marek Kierdelewicz <marek@piasta.pl> wrote:
> Hello,
>
>>This may be our problem. However ip route add returns
>>"SIOCADDRT: No such device"
>>while I see br0.26 in ifconfig output.
>
> Strange. It should work. Tested on debian lenny:
>
> rt1:/# brctl addbr br0
> rt1:/# ip link set up dev br0
> rt1:/# vconfig add br0 26
> Added VLAN with VID == 26 to IF -:br0:-
> rt1:/# ip link set up dev br0.26
> rt1:/# ip ro add 10.100.0.0/30 dev br0.26
> rt1:/# ip ro sh dev br0.26
> 10.100.0.0/30  scope link    <- route is there!
>
> Post output of your "ip addr sh" and "ip ro show" and steps you take to
> set things up.
>
>>What about routing into not "dev br0.26" but to "dev br0"?
>
> In case of routing on br0 and not br0.26 AFAIK bridge would be sending
> replies untagged on native vlan. Maybe there are some ebtables hacks
> I don't know about.
>
> Best regards,
> Marek Kierdelewicz
>

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Yavetskiy Yuriy]

Hello.

And what is output of

ip ro sho 91.93.179.88/29

?
If route already exist you must delete it before adding to br0.206.

Oguz Yilmaz wrote:
> # ifconfig br0
> br0       Link encap:Ethernet  HWaddr 00:0E:0C:C4:AA:E7
>           inet addr:SOMEIP  Bcast:SOMEBCAST  Mask:255.255.255.252
>           inet6 addr: fe80::20e:cff:fec4:aae7/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:88539199 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:422429 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:457848874 (436.6 MiB)  TX bytes:53152547 (50.6 MiB)
>
>
> br0.206   Link encap:Ethernet  HWaddr 00:0E:0C:C4:AA:E7
>           inet6 addr: fe80::20e:cff:fec4:aae7/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:901504 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:545628196 (520.3 MiB)  TX bytes:492 (492.0 b)
>
>
> # ip link set up dev br0.206
>
> # ip link show | grep br0.206
> 27: br0.206@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>
> # route add -net 91.93.179.88 netmask 255.255.255.248 dev br0.206
> SIOCADDRT: No such device
>
> # ip ro add 91.93.179.88/29 dev br0.206
> RTNETLINK answers: No such device
>
> # ip ro sh dev br0.206
> NO OUTPUT
>
>
> Kernel is Linux 2.6.18 Centos EL5 Kernel.
>
>
>
> On Thu, Feb 18, 2010 at 12:36 PM, Marek Kierdelewicz <marek@piasta.pl> wrote:
>   
>> Hello,
>>
>>     
>>> This may be our problem. However ip route add returns
>>> "SIOCADDRT: No such device"
>>> while I see br0.26 in ifconfig output.
>>>       
>> Strange. It should work. Tested on debian lenny:
>>
>> rt1:/# brctl addbr br0
>> rt1:/# ip link set up dev br0
>> rt1:/# vconfig add br0 26
>> Added VLAN with VID == 26 to IF -:br0:-
>> rt1:/# ip link set up dev br0.26
>> rt1:/# ip ro add 10.100.0.0/30 dev br0.26
>> rt1:/# ip ro sh dev br0.26
>> 10.100.0.0/30  scope link    <- route is there!
>>
>> Post output of your "ip addr sh" and "ip ro show" and steps you take to
>> set things up.
>>
>>     
>>> What about routing into not "dev br0.26" but to "dev br0"?
>>>       
>> In case of routing on br0 and not br0.26 AFAIK bridge would be sending
>> replies untagged on native vlan. Maybe there are some ebtables hacks
>> I don't know about.
>>
>> Best regards,
>> Marek Kierdelewicz
>>
>>     
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   


-- 
WBR
Yavetskiy Yuriy
ULTI-RIPE

Re: Transparent http filtering VLAN traffic without being a member of tagged VLANs

[Marek Kierdelewicz]

>Hello.

Hello,

>And what is output of
>ip ro sho 91.93.179.88/29
>?
>If route already exist you must delete it before adding to br0.206.

Yuriy is right to sugest that check.

If "ip ro sho 91.93.179.88/29" won't show anything and you still
can't add route then there's something wrong with kernel or userspace ip
tools.

Best regards,
Marek