question on ebtables and iptables, relating to conntrack-zones

[Ben Greear <greearb@candelatech.com>]

I'm trying to do something a bit weird with two bridges and a transparent
squid proxy.

I think I want the network diagram to look a bit like:

{ internet } -- eth0 - br0 - veth2 - veth1 - br1 - eth1 -- { client-side network }

The idea is to have br1 act just as a bridge, but have br0 have an IP and
do the squid re-direct logic.  This is because I need to see packets from clients
to squid on the two br1 ports, as if squid were somewhere in the {internet}.

I was thinking that setting br1 and it's ports to one conntrack zone
and br0 and it's ports to another would do the trick, but when I do
add those, the squid redirect nat seems to break.  I am thinking now
that maybe I'd need to implement conntrack zones for ebtables BROUTING, perhaps?

My current attempted setup file looks like:

#!/bin/bash

# Clean up any old rules.
/etc/init.d/stopbrouting

/sbin/ebtables -t broute -A BROUTING -i br0 -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables
echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

echo 1 > /sys/class/net/br0/bridge/nf_call_ip6tables
echo 1 > /sys/class/net/br0/bridge/nf_call_iptables

/usr/local/sbin/iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2
/usr/local/sbin/iptables -t raw -A PREROUTING -i veth1 -j CT --zone 2
/usr/local/sbin/iptables -t raw -A PREROUTING -i br1 -j CT --zone 2

/usr/local/sbin/iptables -t raw -A PREROUTING -i eth0 -j CT --zone 3
/usr/local/sbin/iptables -t raw -A PREROUTING -i veth2 -j CT --zone 3
/usr/local/sbin/iptables -t raw -A PREROUTING -i br0 -j CT --zone 3



Any ideas are welcome.

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com