* Marking frames with ebtables for iptables @ 2015-12-02 14:02 Oliver Graute 2015-12-05 11:30 ` Pascal Hambourg 0 siblings, 1 reply; 5+ messages in thread From: Oliver Graute @ 2015-12-02 14:02 UTC (permalink / raw) To: netfilter Hello, I'am new to ebtables/iptables. I struggle with the mark feature. I try to mark some frames with ebtables on MAC Layer to pass these mark to iptables network layer. I build up a bridge interface br0, cleared all ebtables and iptables tables as preparation. Then I try something like this: ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- mark-set 0xffff --mark-target ACCEPT ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW iptables -t mangle -A PREROUTING -m mark --mark 0xffff iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level info --log-prefix MARKED i would expect that iptables log show me the marked packages from ebtables. But i see no mark 0xffff Does anyone know how this is done right? Best regards, Oliver ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Marking frames with ebtables for iptables 2015-12-02 14:02 Marking frames with ebtables for iptables Oliver Graute @ 2015-12-05 11:30 ` Pascal Hambourg 2015-12-07 8:43 ` Oliver Graute 0 siblings, 1 reply; 5+ messages in thread From: Pascal Hambourg @ 2015-12-05 11:30 UTC (permalink / raw) To: Oliver Graute; +Cc: netfilter Hello, Oliver Graute a écrit : > > I try to mark some frames with ebtables on MAC Layer to pass these mark to > iptables network layer. > > I build up a bridge interface br0, cleared all ebtables and iptables tables > as preparation. Then I try something like this: > > ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- > mark-set 0xffff --mark-target ACCEPT > ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW > iptables -t mangle -A PREROUTING -m mark --mark 0xffff What's the use of this rule with no target ? > iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level > info --log-prefix MARKED > > i would expect that iptables log show me the marked packages from ebtables. > But i see no mark 0xffff Check the packet flow diagram at <https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg> You can see that if the packet is received on a bridge (blue background), ebtables/INPUT (blue header) comes after iptables/PREROUTING (green header). To avoid the iptables/ebtables mix, you must disable iptables call by bridge-nf : echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables What is your goal ? If you just need to match the source MAC address, you don't need ebtables. Iptables has the "mac" match. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Marking frames with ebtables for iptables 2015-12-05 11:30 ` Pascal Hambourg @ 2015-12-07 8:43 ` Oliver Graute 2015-12-07 22:39 ` Pascal Hambourg 0 siblings, 1 reply; 5+ messages in thread From: Oliver Graute @ 2015-12-07 8:43 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter On Sat, Dec 5, 2015 at 12:30 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote: > > Hello, > > Oliver Graute a écrit : > > > > I try to mark some frames with ebtables on MAC Layer to pass these mark to > > iptables network layer. > > > > I build up a bridge interface br0, cleared all ebtables and iptables tables > > as preparation. Then I try something like this: > > > > ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- > > mark-set 0xffff --mark-target ACCEPT > > ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW > > iptables -t mangle -A PREROUTING -m mark --mark 0xffff > > What's the use of this rule with no target ? the target should be LOG or ACCEPT. Right now I only need to mark special tagged frames coming from mac layer. > > > > iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level > > info --log-prefix MARKED > > > > i would expect that iptables log show me the marked packages from ebtables. > > But i see no mark 0xffff > > Check the packet flow diagram at > <https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg> thx that helps a lot for my understanding. > > > You can see that if the packet is received on a bridge (blue > background), ebtables/INPUT (blue header) comes after > iptables/PREROUTING (green header). To avoid the iptables/ebtables mix, > you must disable iptables call by bridge-nf : > > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables > > What is your goal ? If you just need to match the source MAC address, > you don't need ebtables. Iptables has the "mac" match. I just tried a "simple" example with "mac" match to understand the ebtables/iptables mix. But the real goal is to mark frames coming from a tagged port with a 3-bit PCP Field. (IEEE 802.1p/ 802.1Q). Later on I want to proceed these marked frames on IP-Layer to set some ToS Bits. How is that done? Best Regards, Oliver On Sat, Dec 5, 2015 at 12:30 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote: > Hello, > > Oliver Graute a écrit : >> >> I try to mark some frames with ebtables on MAC Layer to pass these mark to >> iptables network layer. >> >> I build up a bridge interface br0, cleared all ebtables and iptables tables >> as preparation. Then I try something like this: >> >> ebtables -t filter -A INPUT -p IPv4 -s 00:11:22:33:44:55 -i eth0 -j mark -- >> mark-set 0xffff --mark-target ACCEPT >> ebtables -t filter -A INPUT --log-level info --log-ip --log-prefix EBFW >> iptables -t mangle -A PREROUTING -m mark --mark 0xffff > > What's the use of this rule with no target ? > >> iptables -t mangle -A PREROUTING -m mark --mark 0xffff -j LOG --log-level >> info --log-prefix MARKED >> >> i would expect that iptables log show me the marked packages from ebtables. >> But i see no mark 0xffff > > Check the packet flow diagram at > <https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg> > > You can see that if the packet is received on a bridge (blue > background), ebtables/INPUT (blue header) comes after > iptables/PREROUTING (green header). To avoid the iptables/ebtables mix, > you must disable iptables call by bridge-nf : > > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables > > What is your goal ? If you just need to match the source MAC address, > you don't need ebtables. Iptables has the "mac" match. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Marking frames with ebtables for iptables 2015-12-07 8:43 ` Oliver Graute @ 2015-12-07 22:39 ` Pascal Hambourg 2015-12-08 7:10 ` Oliver Graute 0 siblings, 1 reply; 5+ messages in thread From: Pascal Hambourg @ 2015-12-07 22:39 UTC (permalink / raw) To: Oliver Graute; +Cc: netfilter Oliver Graute a écrit : > > I just tried a "simple" example with "mac" match to understand the > ebtables/iptables mix. > But the real goal is to mark frames coming from a tagged port with a > 3-bit PCP Field.(IEEE 802.1p/ 802.1Q) > Later on I want to proceed these marked frames on IP-Layer to > set some ToS Bits. How is that done? I don't know what the PCP field is. Is it the same as the 3-bit user priority field in a IEEE 802.1Q header ? If so, you can use the vlan match in ebtables. To set TOS bits with iptables, you can use the TOS or DSCP target. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Marking frames with ebtables for iptables 2015-12-07 22:39 ` Pascal Hambourg @ 2015-12-08 7:10 ` Oliver Graute 0 siblings, 0 replies; 5+ messages in thread From: Oliver Graute @ 2015-12-08 7:10 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter > I don't know what the PCP field is. Is it the same as the 3-bit user > priority field in a IEEE 802.1Q header ? If so, you can use the vlan > match in ebtables. yes these are the right ones. > To set TOS bits with iptables, you can use the TOS or DSCP target. I'll try thank you Oliver ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-12-08 7:10 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-12-02 14:02 Marking frames with ebtables for iptables Oliver Graute 2015-12-05 11:30 ` Pascal Hambourg 2015-12-07 8:43 ` Oliver Graute 2015-12-07 22:39 ` Pascal Hambourg 2015-12-08 7:10 ` Oliver Graute
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.
