Re: ebtables mac update

["Покотиленко Костик" <casper@meteor.dp.ua>]

В Вто, 29/06/2010 в 09:57 -0500, Grant Taylor пишет:
> On 06/29/10 09:29, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË wrote:
> > Linux box runs some services and have 3 interfaces, 2 of them are 
> > bridged to br0 and one is left for separate local segment. So it is a 
> > router between br0 and eth2 and a bridge between eth0, eth1.
> 
> Will you please clarify what interface the Zyxel bridge is connected to? 
>    (I'm guessing that it's connected to either eth0 or eth1, but I'd 
> like some clarification.)
> 
> What is connected to the other two interfaces?

      +-- eth0: modem
br0 --+
      +-- eth1: local network

eth2: network of public access points

> > This is brctl showmacs, right?
> 
> I don't know the command off the top of my head, but I know there is a 
> command to have the bridge show what MAC addresses are associated with 
> what bridge ports.
> 
> > So, this is exactly the same logic that switches use, right?
> 
> Should be, yes.
> 
> > Can you confirm that if MAC (frame with source MAC) pops up on port 
> > different from the one it was seen previous time then the port for 
> > that MAC get updated?
> 
> Should be, yes.

If so, the linux bridge should not be the point of problem.

> > What then "brctl setageing" for?
> 
> That should set the aging / expire timer for MAC addresses that have not 
> been seen in a while.  (How long the MAC has to be quite before it is 
> flooded again.)

So this is to remove MACs that were not poped up for long to just not
waste momory.

> > It may happen that rebooting the modems brings port link down and the 
> > bridge may clear the MAC-port table on that port. This is similar to 
> > what Zyxel support told me.
> 
> Agreed.  See my previous reply about a way to test this.

I'll consider.

> > In my case on moved box I'm unable to make connections or even ping.
> 
> This is contrary to how every Linux bridge that I have used ever 
> behaved.  I'm thinking that the Zyxel is at least part of the problem. 
> That being said, it is very unlikely but there could be some sort of 
> weird interaction between the Zyxel and Linux bridging that combined is 
> causing a problem.

This is quite low probability.

> > Besides that it is a server, iptables is used to restrict access for 
> > separate local segment at eth2 (allow access to Internet and not to 
> > local net). Ebtables is empty now, but I wanted to be able to filter 
> > bridge traffic if that matters someday.
> 
> Remember that it is possible for IPTables to filter bridged traffic. 
> (It depends if an option is enabled in the kernel.)  So IPTables could 
> be interfering with out you knowing it.

I know that. But some kind of matches in newer kernels are available
only in ebtables, like --phys-dev-[in|out]

> Will you please provide the output of "iptables-save" (sanitized if needed).

All rules have either "-i eth2" or "-o eth2". eth2 is public access
points network that should be restricted. br0(eth0: modem, eth1: local
network for this building): local network. Default policy is accept, so
there is no rules to restrict bridged traffic.

-- 
Покотиленко Костик <casper@meteor.dp.ua>