Re: ebtables mac update

[Grant Taylor <gtaylor@riverviewtech.net>]

On 06/29/10 09:29, Покотиленко Костик wrote:
> Linux box runs some services and have 3 interfaces, 2 of them are 
> bridged to br0 and one is left for separate local segment. So it is a 
> router between br0 and eth2 and a bridge between eth0, eth1.

Will you please clarify what interface the Zyxel bridge is connected to? 
   (I'm guessing that it's connected to either eth0 or eth1, but I'd 
like some clarification.)

What is connected to the other two interfaces?

> This is brctl showmacs, right?

I don't know the command off the top of my head, but I know there is a 
command to have the bridge show what MAC addresses are associated with 
what bridge ports.

> So, this is exactly the same logic that switches use, right?

Should be, yes.

> Can you confirm that if MAC (frame with source MAC) pops up on port 
> different from the one it was seen previous time then the port for 
> that MAC get updated?

Should be, yes.

> What then "brctl setageing" for?

That should set the aging / expire timer for MAC addresses that have not 
been seen in a while.  (How long the MAC has to be quite before it is 
flooded again.)

> It may happen that rebooting the modems brings port link down and the 
> bridge may clear the MAC-port table on that port. This is similar to 
> what Zyxel support told me.

Agreed.  See my previous reply about a way to test this.

> In my case on moved box I'm unable to make connections or even ping.

This is contrary to how every Linux bridge that I have used ever 
behaved.  I'm thinking that the Zyxel is at least part of the problem. 
That being said, it is very unlikely but there could be some sort of 
weird interaction between the Zyxel and Linux bridging that combined is 
causing a problem.

> Besides that it is a server, iptables is used to restrict access for 
> separate local segment at eth2 (allow access to Internet and not to 
> local net). Ebtables is empty now, but I wanted to be able to filter 
> bridge traffic if that matters someday.

Remember that it is possible for IPTables to filter bridged traffic. 
(It depends if an option is enabled in the kernel.)  So IPTables could 
be interfering with out you knowing it.

Will you please provide the output of "iptables-save" (sanitized if needed).



Grant. . . .