From: Aijaz Baig <aijazbaig1@gmail.com>
To: netfilter@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Subject: packet flow - ebtables broute DROP target
Date: Thu, 15 Jul 2010 19:32:38 +0530 [thread overview]
Message-ID: <1279202558.5524.10.camel@aijazbaig1-desktop> (raw)
In-Reply-To: <AANLkTil_RodsXwi2y8-tOeLsZ8Cl3TN0WYfsAMrrx-VP@mail.gmail.com>
Hello people,
Im relatively new to the ebtables + iptables firewalling architecture. I
have read the ebtables and iptables firewall interaction document and
also seen the GIF specified at the end of the document. For those
unfamiliar with it, here are the links to the same:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html for the document
and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for the
picture.
Im trying to understand what happens to a packet which is DROPped in the
BROUTING chain of the broute table. If I have understood correctly from
the document above, it goes to L3 where the routing subsystem can decide
where to send the packet to depending on L3 information in it isn't it?
So i'm assuming that the first place it should be visible should be the
PREROUTING chain of the mangle table isn't it? But I tried with a LOG
target rule matching the criteria I used in constructing the DROP target
in the broute table's BROUTING chain.
And then after that I checked the packet counters for both the rules
viz. the one in the BROUTING chain and the one in the PREROUTING chain
of the mangle table. The packet did hit the first rule and it is
dropped. I cannot see it on br0, the bridge interface too. But the
packet count in the latter rule is 0 which means that the packet didnt
arrive in the mangle table's
PREhttp://ebtables.sourceforge.net/br_fw_ia/PacketFlow.pngROUTING chain.
But this behavior is contrary to what the GIF above shows.
Im rather confused. Please do shed some light on it if people have had
similar experiences before.
I am keen to hear from you,
Regards,
Aijaz Baig.
next prev parent reply other threads:[~2010-07-15 14:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1DB91DF937A4544C81E636468B91C21C06F1EC28@CNSHGSMBS03.ad4.ad.alcatel.com>
2010-07-15 8:08 ` 'HELP ME PLEASE. libnetfilter_queue issue MAI JIN
2010-07-15 13:44 ` Mistick Levi
2010-07-15 14:02 ` Aijaz Baig [this message]
2010-07-15 14:34 ` packet flow - ebtables broute DROP target Jan Engelhardt
2010-07-15 19:26 ` Bart De Schuymer
2010-07-16 8:05 ` Aijaz Baig
2010-07-16 16:54 ` Bart De Schuymer
2010-07-16 17:06 ` Payam Chychi
2010-07-15 19:26 ` Bart De Schuymer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1279202558.5524.10.camel@aijazbaig1-desktop \
--to=aijazbaig1@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).