From: Steve Hill <steve@opendium.com>
To: Vigneswaran R <vignesh@atc.tcs.com>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter@vger.kernel.org
Subject: Re: Filtering on bridges
Date: Tue, 03 Jan 2012 13:15:13 +0000 [thread overview]
Message-ID: <4F02FF61.5020806@opendium.com> (raw)
In-Reply-To: <4EF40499.3020005@atc.tcs.com>
On 23/12/11 04:33, Vigneswaran R wrote:
> Sorry for interrupting your discussion. I am following this thread from
> the beginning. However, I couldn't get exactly how your setup looks
> like. If possible, could you please give a simple (ascii) pictorial
> representation of your setup. This may help more people (normal iptable
> users like me) to understand the discussion better. Thank you.
+-----------------------------------------------------------+
| Linux Server |
| |
| (br0) |
| | |
| +------------+-----------+-----------+-----------+ |
| | | | | | |
| (eth0) (eth1) (eth2) (eth3) (eth4) |
+-----------------------------------------------------------+
| | | | |
| | | | |
+----------+ +--------+ +--------+ +--------+ +--------+
| Upstream | | Other | | Other | | Other | | Other |
| Switch | | Server | | Server | | Server | | Server |
+----------+ +--------+ +--------+ +--------+ +--------+
As you can see, the Linux server has several network interfaces, all of
which are bridged together. I'm using iptables to filter the traffic
between those NICs. Filtering bridged traffic largely works as expected
(although there is an issue that using REJECT filter rules causes the
kernel to panic as the ICMP response is injected into the bridge!) This
means I can write iptables filter rules in the FORWARD chain using the
physdev module to reference the physical NICs (e.g. "DROP TCP traffic
from eth0 to eth1 that has a destination port == 25")
The issue I'm having is that traffic that has passed through the local
IP stack (whether that be from a local process, or routed) is handled
differently to traffic that is being bridged - iptables is no longer
aware of the physical NIC from which the traffic will egress. I.e. for
this traffic I can only create rules referencing the whole bridge (br0)
rather than individual physical NICs (eth0, eth1, etc.).
The following is NOT a description of what actually happens, it is what
I believe would be a cleaner model than the current system:
Logically, I would say that routing and bridging are two completely
different processes, so should have separate chains. i.e. the
PREROUTING, FORWARD, POSTROUTING and OUTPUT chains should refer *only*
to traffic that is passing through the IP stack, and there should be
separate PREBRIDGE, FORWARDBRIDGE, POSTBRIDGE chains for the bridged
traffic. The bridge interface (br0) should be seen as just another
member of the bridge, exactly like the physical NICs.
So following the above idea, a packet generated by a local process would
pass though:
iptables:OUTPUT (egress NIC: br0)
iptables:POSTROUTING (egress NIC: br0)
ebtables:BROUTING (ingress NIC: br0)
ebtables:PREROUTING (ingress NIC: br0)
iptables:PREBRIDGE (ingress NIC: br0)
ebtables:FORWARD (ingress NIC: br0, egress NIC: eth0)
iptables:FORWARDBRIDGE (ingress NIC: br0, egress NIC: eth0)
iptables:POSTBRIDGE (ingress NIC: br0, egress NIC: eth0)
ebtables:POSTROUTING (ingress NIC: br0, egress NIC: eth0)
And similarly, a bridged packet would look something like:
ebtables:BROUTING (ingress NIC: eth1)
ebtables:PREROUTING (ingress NIC: eth1)
iptables:PREBRIDGE (ingress NIC: eth1)
ebtables:FORWARD (ingress NIC: eth1, egress NIC: eth0)
iptables:FORWARDBRIDGE (ingress NIC: eth1, egress NIC: eth0)
iptables:POSTBRIDGE (ingress NIC: eth1, egress NIC: eth0)
ebtables:POSTROUTING (ingress NIC: eth1, egress NIC: eth0)
Unfortunately this isn't what happens :)
Hope that explains what I'm talking about anyway. In my case, the
"other servers" are actually virtual machines running on the Linux
server, so "eth1..4" aren't really physical NICs, they are tun/tap
interfaces. But for the purpose of this discussion, that is unimportant.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@opendium.com
Email: steve@opendium.com
Phone: sip:steve@opendium.com
Sales / enquiries contacts:
Email: sales@opendium.com
Phone: +44-844-9791439 / sip:sales@opendium.com
Support contacts:
Email: support@opendium.com
Phone: +44-844-4844916 / sip:support@opendium.com
next prev parent reply other threads:[~2012-01-03 13:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-21 10:16 Filtering on bridges Steve Hill
2011-12-21 13:30 ` Jan Engelhardt
2011-12-21 13:48 ` Steve Hill
2011-12-21 15:36 ` Niccolò Belli
2011-12-21 18:36 ` Jan Engelhardt
2011-12-21 23:21 ` Steve Hill
2011-12-21 23:31 ` Jan Engelhardt
2011-12-22 10:56 ` Steve Hill
2011-12-22 16:28 ` Jan Engelhardt
2011-12-22 17:36 ` Steve Hill
2011-12-22 22:05 ` Jan Engelhardt
2011-12-23 4:33 ` Vigneswaran R
2012-01-03 13:15 ` Steve Hill [this message]
2012-01-03 16:09 ` Jan Engelhardt
2012-01-03 18:43 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F02FF61.5020806@opendium.com \
--to=steve@opendium.com \
--cc=jengelh@medozas.de \
--cc=netfilter@vger.kernel.org \
--cc=vignesh@atc.tcs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.