Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Maksim <makskr@gmail.com>
To: netfilter@vger.kernel.org
Subject: stp-flags usage
Date: Sat, 2 Jul 2016 21:15:14 +0300	[thread overview]
Message-ID: <20160702181514.GA7300@asya> (raw)

Hello,

I have such topology (where BR1 is a Linux bridges)

                            BR1
  +--------+              +-----+          +--------+
  |        |  STP+TC      |     |          |        |
  | Cisco  |  ----->  eth1|-->X |eth2      | Cisco  |
  | Switch +--------------+     +----------+ Switch |
  |        |  ----->      | --> | ----->   |        |
  +--------+   STP        +-----+  STP     +--------+

and I want to block propagation of the config STP frames only when
its bit of topology-change (TC) is set in 1 while allowing passing
other STP frames.

If I correctly understand I shall use the following rule on BR1:

# ebtables -A FORWARD -i eth1 -d BGA --stp-flags 1 -j DROP

but it does NOT seem to work: the tcpdump output on the eth2 still
shows STP config message with the TC bit.

Moreover, even the rule counters are never change:

# ebtables -L --Ln --Lc                                    
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
1. -d BGA -i eth1 --stp-flags topology-change -j DROP , pcnt = 0 -- bcnt = 0
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

always showing pcnt = 0 -- bcnt = 0.

Could somebody point out where I am going wrong?

Thanks in advance,
Maksim.

                 reply	other threads:[~2016-07-02 18:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160702181514.GA7300@asya \
    --to=makskr@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox