Re: Marking frames with ebtables for iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Oliver Graute <oliver.graute@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Marking frames with ebtables for iptables
Date: Sat, 05 Dec 2015 12:30:20 +0100	[thread overview]
Message-ID: <5662CACC.9010809@plouf.fr.eu.org> (raw)
In-Reply-To: <loom.20151202T145721-935@post.gmane.org>

Hello,

Oliver Graute a écrit :
> 
> I try to mark some frames with ebtables on MAC Layer to pass these mark to 
> iptables network layer.
> 
> I build up a bridge interface br0, cleared all ebtables and iptables tables 
> as preparation. Then I try something like this:   
> 
> ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark --
> mark-set 0xffff --mark-target ACCEPT
> ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW
> iptables -t mangle -A PREROUTING -m mark --mark 0xffff

What's the use of this rule with no target ?

> iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level 
> info --log-prefix MARKED
> 
> i would expect that iptables log show me the marked packages from ebtables. 
> But i see no mark 0xffff

Check the packet flow diagram at
<https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg>

You can see that if the packet is received on a bridge (blue
background), ebtables/INPUT (blue header) comes after
iptables/PREROUTING (green header). To avoid the iptables/ebtables mix,
you must disable iptables call by bridge-nf :

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables

What is your goal ? If you just need to match the source MAC address,
you don't need ebtables. Iptables has the "mac" match.

next prev parent reply	other threads:[~2015-12-05 11:30 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-02 14:02 Marking frames with ebtables for iptables Oliver Graute
2015-12-05 11:30 ` Pascal Hambourg [this message]
2015-12-07  8:43   ` Oliver Graute
2015-12-07 22:39     ` Pascal Hambourg
2015-12-08  7:10       ` Oliver Graute

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5662CACC.9010809@plouf.fr.eu.org \
    --to=pascal@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    --cc=oliver.graute@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.