* Re: [LARTC] more bridging + qos confusion
2003-03-04 17:14 [LARTC] more bridging + qos confusion Abraham van der Merwe
@ 2003-03-04 17:23 ` Martin A. Brown
2003-03-04 17:29 ` Abraham van der Merwe
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Martin A. Brown @ 2003-03-04 17:23 UTC (permalink / raw)
To: lartc
It sounds like you are running bridging with the netfilter hooks.
See the section at the bottom of the page on bridging + firewalling
(really netfilter hooks):
http://bridge.sourceforge.net/download.html
And of course, the newest patches here:
http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html
Are you running a kernel with support for bridge+nf (as it is known)?
-Martin
: If I create the following setup:
:
:
:
: 66.8.28.52/29 66.8.28.51/29
: +------+ +------+
: | PC A |------+ +---------| PC B |
: +------+ | | +------+
: | |
: eth1| | eth0
: +-----+
: | qos | (br0 = 66.8.28.49/29)
: +-----+
:
: PC A is connected to qos via crossover cable and PC B and qos is plugged
: into same switch. So even though everything is on the same network, traffic
: has to go through qos when PC A talks to PC B.
:
: Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
: FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
: tables - i.e. netfilter don't see any traffic flowing through the machine.
:
: Why is this? How do I match this traffic using netfilter? I can't use
: ebtables because I have to match traffic in the mangle table if I want to
: use it in conjunction with tc.
:
:
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] more bridging + qos confusion
2003-03-04 17:14 [LARTC] more bridging + qos confusion Abraham van der Merwe
2003-03-04 17:23 ` Martin A. Brown
@ 2003-03-04 17:29 ` Abraham van der Merwe
2003-03-04 17:43 ` Martin A. Brown
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Abraham van der Merwe @ 2003-03-04 17:29 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]
Hi Martin!
No, I'm not running with ebtables+nf support. From what I understand (and
please correct me if I'm wrong), patching the kernel with
ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, and
NAT chains which you can match traffic on.
However, I need to match traffic in the mangles table, so the ebtables table
won't help me.
Some questions:
(a) If I add the bridge-nf + ebtables patches, will I be able to match
traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?
(b) Why does netfilter not currently see the traffic even though a tcpdump
on eth0/eth1 shows all the traffic passing through the interfaces?
> It sounds like you are running bridging with the netfilter hooks.
>
> See the section at the bottom of the page on bridging + firewalling
> (really netfilter hooks):
>
> http://bridge.sourceforge.net/download.html
>
> And of course, the newest patches here:
>
> http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html
>
> Are you running a kernel with support for bridge+nf (as it is known)?
>
> -Martin
>
> : If I create the following setup:
> :
> :
> :
> : 66.8.28.52/29 66.8.28.51/29
> : +------+ +------+
> : | PC A |------+ +---------| PC B |
> : +------+ | | +------+
> : | |
> : eth1| | eth0
> : +-----+
> : | qos | (br0 = 66.8.28.49/29)
> : +-----+
> :
> : PC A is connected to qos via crossover cable and PC B and qos is plugged
> : into same switch. So even though everything is on the same network, traffic
> : has to go through qos when PC A talks to PC B.
> :
> : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
> : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
> : tables - i.e. netfilter don't see any traffic flowing through the machine.
> :
> : Why is this? How do I match this traffic using netfilter? I can't use
> : ebtables because I have to match traffic in the mangle table if I want to
> : use it in conjunction with tc.
> :
> :
--
Regards
Abraham
I'm telling you that the kernel is stable not because it's a kernel,
but because I refuse to listen to arguments like this.
-- Linus Torvalds
___________________________________________________
Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
P.O. Box 3472, Matieland, Stellenbosch, 7602
Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
Email: abz@frogfoot.net
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] more bridging + qos confusion
2003-03-04 17:14 [LARTC] more bridging + qos confusion Abraham van der Merwe
2003-03-04 17:23 ` Martin A. Brown
2003-03-04 17:29 ` Abraham van der Merwe
@ 2003-03-04 17:43 ` Martin A. Brown
2003-03-04 18:01 ` Abraham van der Merwe
2003-03-04 18:22 ` Abraham van der Merwe
4 siblings, 0 replies; 6+ messages in thread
From: Martin A. Brown @ 2003-03-04 17:43 UTC (permalink / raw)
To: lartc
<bill-the-cat-sound> Ack! I meant to say:
"It sounds like you are running bridging without the netfilter hooks."
But, of course, you understood what I meant.
: No, I'm not running with ebtables+nf support. From what I understand
: (and please correct me if I'm wrong), patching the kernel with
: ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
: and NAT chains which you can match traffic on.
:
: However, I need to match traffic in the mangles table, so the ebtables
: table won't help me.
In order for you to be able to use iptables *at all* with the bridging
code, you need the bridge+nf patch(es).
: (a) If I add the bridge-nf + ebtables patches, will I be able to match
: traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?
Good question. I haven't used the OUTPUT and POSTROUTING chains, but I
have used the FORWARD chain on a bridge+nf installation. I think the link
you forwarded to this list earlier today [1] shows the sequence of
netfilter hook traversal, but assumes that you are running bridge+nf.
: (b) Why does netfilter not currently see the traffic even though a tcpdump
: on eth0/eth1 shows all the traffic passing through the interfaces?
See above....
-Martin
[1] http://www.sparkle-cc.co.uk/firewall/firewall.html
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] more bridging + qos confusion
2003-03-04 17:14 [LARTC] more bridging + qos confusion Abraham van der Merwe
` (2 preceding siblings ...)
2003-03-04 17:43 ` Martin A. Brown
@ 2003-03-04 18:01 ` Abraham van der Merwe
2003-03-04 18:22 ` Abraham van der Merwe
4 siblings, 0 replies; 6+ messages in thread
From: Abraham van der Merwe @ 2003-03-04 18:01 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]
Hi Martin!
> : No, I'm not running with ebtables+nf support. From what I understand
> : (and please correct me if I'm wrong), patching the kernel with
> : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
> : and NAT chains which you can match traffic on.
> :
> : However, I need to match traffic in the mangles table, so the ebtables
> : table won't help me.
>
> In order for you to be able to use iptables *at all* with the bridging
> code, you need the bridge+nf patch(es).
Ah ok. Which patch should I use
(http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff
or
http://users.pandora.be/bart.de.schuymer/ebtables/br-nf/bridge-nf-0.0.10-against-2.4.20.diff)
I've used the latter with 2.4.21pre5, but it seems as if the first one was
created for iptables and the latter for ebtables - is that correct or can I
use both?
I'll test it now with the new one anyway and see if I can match packets in
the mangle table.
--
Regards
Abraham
Heller's Law:
The first myth of management is that it exists.
Johnson's Corollary:
Nobody really knows what is going on anywhere within the
organization.
___________________________________________________
Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
P.O. Box 3472, Matieland, Stellenbosch, 7602
Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
Email: abz@frogfoot.net
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] more bridging + qos confusion
2003-03-04 17:14 [LARTC] more bridging + qos confusion Abraham van der Merwe
` (3 preceding siblings ...)
2003-03-04 18:01 ` Abraham van der Merwe
@ 2003-03-04 18:22 ` Abraham van der Merwe
4 siblings, 0 replies; 6+ messages in thread
From: Abraham van der Merwe @ 2003-03-04 18:22 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1972 bytes --]
Hi Martin!
I just applied the bridge-nf and ebtables patches and tried it and I can
match packets in the mangle table as usual (also have to use FORWARD for
packets passing through the machine).
> <bill-the-cat-sound> Ack! I meant to say:
>
> "It sounds like you are running bridging without the netfilter hooks."
>
> But, of course, you understood what I meant.
>
> : No, I'm not running with ebtables+nf support. From what I understand
> : (and please correct me if I'm wrong), patching the kernel with
> : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
> : and NAT chains which you can match traffic on.
> :
> : However, I need to match traffic in the mangles table, so the ebtables
> : table won't help me.
>
> In order for you to be able to use iptables *at all* with the bridging
> code, you need the bridge+nf patch(es).
>
> : (a) If I add the bridge-nf + ebtables patches, will I be able to match
> : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?
>
> Good question. I haven't used the OUTPUT and POSTROUTING chains, but I
> have used the FORWARD chain on a bridge+nf installation. I think the link
> you forwarded to this list earlier today [1] shows the sequence of
> netfilter hook traversal, but assumes that you are running bridge+nf.
>
> : (b) Why does netfilter not currently see the traffic even though a tcpdump
> : on eth0/eth1 shows all the traffic passing through the interfaces?
>
> See above....
>
> -Martin
>
> [1] http://www.sparkle-cc.co.uk/firewall/firewall.html
--
Regards
Abraham
It is more rational to sacrifice one life than six.
-- Spock, "The Galileo Seven", stardate 2822.3
___________________________________________________
Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
P.O. Box 3472, Matieland, Stellenbosch, 7602
Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
Email: abz@frogfoot.net
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread