[LARTC] more bridging + qos confusion

[LARTC] more bridging + qos confusion

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 1271 bytes --]

Hi!

If I create the following setup:



 66.8.28.52/29            66.8.28.51/29
  +------+                  +------+
  | PC A |------+ +---------| PC B |
  +------+      | |         +------+
                | |
            eth1| | eth0
              +-----+
              | qos | (br0 = 66.8.28.49/29)
              +-----+

PC A is connected to qos via crossover cable and PC B and qos is plugged
into same switch. So even though everything is on the same network, traffic
has to go through qos when PC A talks to PC B.

Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
tables - i.e. netfilter don't see any traffic flowing through the machine.

Why is this? How do I match this traffic using netfilter? I can't use
ebtables because I have to match traffic in the mangle table if I want to
use it in conjunction with tc.

-- 

Regards
 Abraham

By the yard, life is hard.
By the inch, it's a cinch.

___________________________________________________
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [LARTC] more bridging + qos confusion

[Martin A. Brown]

It sounds like you are running bridging with the netfilter hooks.

See the section at the bottom of the page on bridging + firewalling
(really netfilter hooks):

  http://bridge.sourceforge.net/download.html

And of course, the newest patches here:

  http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html

Are you running a kernel with support for bridge+nf (as it is known)?

-Martin

 : If I create the following setup:
 :
 :
 :
 :  66.8.28.52/29            66.8.28.51/29
 :   +------+                  +------+
 :   | PC A |------+ +---------| PC B |
 :   +------+      | |         +------+
 :                 | |
 :             eth1| | eth0
 :               +-----+
 :               | qos | (br0 = 66.8.28.49/29)
 :               +-----+
 :
 : PC A is connected to qos via crossover cable and PC B and qos is plugged
 : into same switch. So even though everything is on the same network, traffic
 : has to go through qos when PC A talks to PC B.
 :
 : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
 : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
 : tables - i.e. netfilter don't see any traffic flowing through the machine.
 :
 : Why is this? How do I match this traffic using netfilter? I can't use
 : ebtables because I have to match traffic in the mangle table if I want to
 : use it in conjunction with tc.
 :
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] more bridging + qos confusion

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]

Hi Martin!

No, I'm not running with ebtables+nf support. From what I understand (and
please correct me if I'm wrong), patching the kernel with
ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, and
NAT chains which you can match traffic on.

However, I need to match traffic in the mangles table, so the ebtables table
won't help me.

Some questions:

 (a) If I add the bridge-nf + ebtables patches, will I be able to match
     traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?

 (b) Why does netfilter not currently see the traffic even though a tcpdump
     on eth0/eth1 shows all the traffic passing through the interfaces?

> It sounds like you are running bridging with the netfilter hooks.
> 
> See the section at the bottom of the page on bridging + firewalling
> (really netfilter hooks):
> 
>   http://bridge.sourceforge.net/download.html
> 
> And of course, the newest patches here:
> 
>   http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html
> 
> Are you running a kernel with support for bridge+nf (as it is known)?
> 
> -Martin
> 
>  : If I create the following setup:
>  :
>  :
>  :
>  :  66.8.28.52/29            66.8.28.51/29
>  :   +------+                  +------+
>  :   | PC A |------+ +---------| PC B |
>  :   +------+      | |         +------+
>  :                 | |
>  :             eth1| | eth0
>  :               +-----+
>  :               | qos | (br0 = 66.8.28.49/29)
>  :               +-----+
>  :
>  : PC A is connected to qos via crossover cable and PC B and qos is plugged
>  : into same switch. So even though everything is on the same network, traffic
>  : has to go through qos when PC A talks to PC B.
>  :
>  : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
>  : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
>  : tables - i.e. netfilter don't see any traffic flowing through the machine.
>  :
>  : Why is this? How do I match this traffic using netfilter? I can't use
>  : ebtables because I have to match traffic in the mangle table if I want to
>  : use it in conjunction with tc.
>  :
>  :

-- 

Regards
 Abraham

I'm telling you that the kernel is stable not because it's a kernel,
but because I refuse to listen to arguments like this.
	-- Linus Torvalds

___________________________________________________
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [LARTC] more bridging + qos confusion

[Martin A. Brown]

<bill-the-cat-sound> Ack!  I meant to say:

   "It sounds like you are running bridging without the netfilter hooks."

But, of course, you understood what I meant.

 : No, I'm not running with ebtables+nf support. From what I understand
 : (and please correct me if I'm wrong), patching the kernel with
 : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
 : and NAT chains which you can match traffic on.
 :
 : However, I need to match traffic in the mangles table, so the ebtables
 : table won't help me.

In order for you to be able to use iptables *at all* with the bridging
code, you need the bridge+nf patch(es).

 :  (a) If I add the bridge-nf + ebtables patches, will I be able to match
 :      traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?

Good question.  I haven't used the OUTPUT and POSTROUTING chains, but I
have used the FORWARD chain on a bridge+nf installation.  I think the link
you forwarded to this list earlier today [1] shows the sequence of
netfilter hook traversal, but assumes that you are running bridge+nf.

 :  (b) Why does netfilter not currently see the traffic even though a tcpdump
 :      on eth0/eth1 shows all the traffic passing through the interfaces?

See above....

-Martin

 [1]  http://www.sparkle-cc.co.uk/firewall/firewall.html

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] more bridging + qos confusion

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

Hi Martin!

>  : No, I'm not running with ebtables+nf support. From what I understand
>  : (and please correct me if I'm wrong), patching the kernel with
>  : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
>  : and NAT chains which you can match traffic on.
>  :
>  : However, I need to match traffic in the mangles table, so the ebtables
>  : table won't help me.
> 
> In order for you to be able to use iptables *at all* with the bridging
> code, you need the bridge+nf patch(es).

Ah ok. Which patch should I use
(http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff
or
http://users.pandora.be/bart.de.schuymer/ebtables/br-nf/bridge-nf-0.0.10-against-2.4.20.diff)

I've used the latter with 2.4.21pre5, but it seems as if the first one was
created for iptables and the latter for ebtables - is that correct or can I
use both?

I'll test it now with the new one anyway and see if I can match packets in
the mangle table.

-- 

Regards
 Abraham

Heller's Law:
	The first myth of management is that it exists.

Johnson's Corollary:
	Nobody really knows what is going on anywhere within the
	organization.

___________________________________________________
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [LARTC] more bridging + qos confusion

[Abraham van der Merwe]

[-- Attachment #1: Type: text/plain, Size: 1972 bytes --]

Hi Martin!

I just applied the bridge-nf and ebtables patches and tried it and I can
match packets in the mangle table as usual (also have to use FORWARD for
packets passing through the machine).

> <bill-the-cat-sound> Ack!  I meant to say:
> 
>    "It sounds like you are running bridging without the netfilter hooks."
> 
> But, of course, you understood what I meant.
> 
>  : No, I'm not running with ebtables+nf support. From what I understand
>  : (and please correct me if I'm wrong), patching the kernel with
>  : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD,
>  : and NAT chains which you can match traffic on.
>  :
>  : However, I need to match traffic in the mangles table, so the ebtables
>  : table won't help me.
> 
> In order for you to be able to use iptables *at all* with the bridging
> code, you need the bridge+nf patch(es).
> 
>  :  (a) If I add the bridge-nf + ebtables patches, will I be able to match
>  :      traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?
> 
> Good question.  I haven't used the OUTPUT and POSTROUTING chains, but I
> have used the FORWARD chain on a bridge+nf installation.  I think the link
> you forwarded to this list earlier today [1] shows the sequence of
> netfilter hook traversal, but assumes that you are running bridge+nf.
> 
>  :  (b) Why does netfilter not currently see the traffic even though a tcpdump
>  :      on eth0/eth1 shows all the traffic passing through the interfaces?
> 
> See above....
> 
> -Martin
> 
>  [1]  http://www.sparkle-cc.co.uk/firewall/firewall.html

-- 

Regards
 Abraham

It is more rational to sacrifice one life than six.
		-- Spock, "The Galileo Seven", stardate 2822.3

___________________________________________________
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]