From: agashi shipora <gashipo@gmail.com>
To: Bart De Schuymer <bdschuym@pandora.be>
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: uisng L7 filter in ebtables commands
Date: Thu, 1 Apr 2010 13:20:56 +0530 [thread overview]
Message-ID: <n2z861e3bca1004010050j7063cee8ya8c27ac73458b8bf@mail.gmail.com> (raw)
In-Reply-To: <4BB4427A.3020706@pandora.be>
Hi ,
Sorry I forget to mention one more constraint with the linux kernel
source base I am working with.
In the general linux 2.6.30 kernel , iptables are introduced into the
bridge path by selecting the CONFIG_BRIDGE_NETFILTER option at
compile time which selects the br_netfilter.c which invokes the
traversal of iptables. Also the CONFIG_BRIDGE_NF_EBTABLES option is
dependent on CONFIG_BRIDGE_NETFILTER being selected.
Whereas in the linux kernel source I am working with (which is also
2.6.30 but customized) CONFIG_BRIDGE_NETFILTER option , though present
in the "make menuconfig" for selection is not compatible with the
customizations , hence results in crash.Here also
CONFIG_BRIDGE_NF_EBTABLES has been made independent of
CONFIG_BRIDGE_NETFILTER.
So as you can see one doesn't have the luxury of iptables in the
bridging path.Hence unable to use the L7 filter with iptables in the
bridging path.
I wasn't aware of the option of setting
/proc/sys/net/bridge/bridge-nf-call-iptables to 1 . But i think this
must be same as selecting CONFIG_BRIDGE_NETFILTER and hence
br_netfilter.c.
Thanks
GP
On Thu, Apr 1, 2010 at 12:21 PM, Bart De Schuymer <bdschuym@pandora.be> wrote:
> agashi shipora wrote:
>> I want to use L7 filter with ebtables for setting a MARK on the packet
>> similar to how it is being done with iptables today.
>>
>> Using brouting the bridge packet can be re-directed to the routing
>> path traversing the iptables.But all packets arriving on the interface
>> enslaved to the bridge would have to be brouted.This may not be
>> acceptable as a solution in my case.
>>
>> example:
>> Whats available:
>> iptables -t filter -A FORWARD -m layer7 --l7proto edonkey -j MARK --set-mark 3
>>
>> What needs to be supported:
>> ebtables -t nat -A PRE-ROUTING -m layer7 --l7proto edonkey -j MARK --mark-set 3
>>
>> Is any work going on to port L7 filter to ebtables or does this port
>> of L7 filter already exist?
>>
>
> You can use iptables to filter bridged IP traffic, so I don't see the
> problem. Just make sure /proc/sys/net/bridge/bridge-nf-call-iptables
> contains 1. No need for brouting.
>
> cheers,
> Bart
>
>
> --
> Bart De Schuymer
> www.artinalgorithms.be
>
next prev parent reply other threads:[~2010-04-01 7:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-31 18:24 uisng L7 filter in ebtables commands agashi shipora
2010-04-01 6:51 ` Bart De Schuymer
2010-04-01 7:50 ` agashi shipora [this message]
2010-04-01 8:00 ` Jan Engelhardt
2010-04-01 9:48 ` agashi shipora
2010-04-01 10:19 ` Jan Engelhardt
2010-04-01 10:20 ` Bart De Schuymer
2010-04-01 14:14 ` agashi shipora
2010-04-01 16:09 ` /dev/rob0
2010-04-01 15:58 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=n2z861e3bca1004010050j7063cee8ya8c27ac73458b8bf@mail.gmail.com \
--to=gashipo@gmail.com \
--cc=bdschuym@pandora.be \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).