[Bridge] ebtables/iptables ambiguity

[Bridge] ebtables/iptables ambiguity

[Jonathan Thibault]

I am trying to use connmark based on the bridge output port.

Normally, I would:

...
iptables -t mangle -A VMARK -i out -m physdev --physdev-out in.15 -j MARK --or-mark 0x00F
...
iptables -t mangle -A VMARK -j CONNMARK --save-mark

(VMARK is called in -t mangle POSTROUTING)

But since this traffic is routed and not bridged, I get the expected:

"physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore."

Now I could use ebtables to perform the mark in, say, filter FORWARD, but would it know which member interface the packets are going if the traffic is not being bridged?  And if so, would the mark appear in time for me to -j CONNMARK --save-mark in POSTROUTING/VMARK?

I obviously could try it to see if it works, but I'd rather *understand* what I'm doing first ;)

Jonathan

Re: [Bridge] ebtables/iptables ambiguity

[richardvoigt]

On Tue, Dec 22, 2009 at 3:08 PM, Jonathan Thibault <jonathan@navigue.com> wrote:
> I am trying to use connmark based on the bridge output port.
>
> Normally, I would:
>
> ...
> iptables -t mangle -A VMARK -i out -m physdev --physdev-out in.15 -j MARK --or-mark 0x00F
> ...
> iptables -t mangle -A VMARK -j CONNMARK --save-mark
>
> (VMARK is called in -t mangle POSTROUTING)
>
> But since this traffic is routed and not bridged, I get the expected:
>
> "physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore."
>
> Now I could use ebtables to perform the mark in, say, filter FORWARD, but would it know which member interface the packets are going if the traffic is not being bridged?  And if so, would the mark appear in time for me to -j CONNMARK --save-mark in POSTROUTING/VMARK?

If it isn't being bridged, the packet will pass through the ebtables
OUTPUT chain, not FORWARD (even if it is being routed, that's still
considered input to the local host, pass up to level 3, level 3
routing, then pass back down to level 2 as outgoing from the local
host).

There's a really nice diagram that shows the order all the chains are
visited by packets for pretty much every scenario imaginable.
http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png

As you can see, ebtables POSTROUTING actions will be run before the
packet reaches iptables POSTROUTING, so you should probably use those.

>
> I obviously could try it to see if it works, but I'd rather *understand* what I'm doing first ;)
>
> Jonathan
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
>

Re: [Bridge] ebtables/iptables ambiguity

[Nicolas de Pesloüan]

Jonathan Thibault wrote:
> I am trying to use connmark based on the bridge output port.
> 
> Normally, I would:
> 
> ...
> iptables -t mangle -A VMARK -i out -m physdev --physdev-out in.15 -j MARK --or-mark 0x00F
> ...
> iptables -t mangle -A VMARK -j CONNMARK --save-mark
> 
> (VMARK is called in -t mangle POSTROUTING)
> 
> But since this traffic is routed and not bridged, I get the expected:
> 
> "physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore."
> 
> Now I could use ebtables to perform the mark in, say, filter FORWARD, but would it know which member interface the packets are going if the traffic is not being bridged?  And if so, would the mark appear in time for me to -j CONNMARK --save-mark in POSTROUTING/VMARK?
> 
> I obviously could try it to see if it works, but I'd rather *understand* what I'm doing first ;)

If you want to try and understand the relation between ebtables and routing, have a look at 
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and in particular at the nice picture at the 
end : http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png

'hope this helps.

	Nicolas.