From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Sumin Xia <xiasumin1984@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: How to transfer a IP packet based on ebtables and iptables?
Date: Wed, 10 Nov 2010 10:09:06 +0100 [thread overview]
Message-ID: <4CDA6132.5040001@plouf.fr.eu.org> (raw)
In-Reply-To: <B6443739-BE5C-44B0-916D-69C4764DBDF6@gmail.com>
Hello,
Sumin Xia a écrit :
>
> According to my understanding, if I implement ebtables on my Linux
> system, a frame should be passed through ebtables modules.
Ebtables sees only packets on interfaces that are part of a bridge.
> Then, if
> ebtables modules find the destination mac address of the frame is the
> local mac address, it will transfer the frame to layer-3, that is
> iptables, right?
Iptables is normally called from the IP layer, and the layer 3 is the IP
layer if the packet is an IP packet. But if the kernel was built with
the option CONFIG_BRIDGE_NETFILTER enabled (which is the most common
AFAICS) and /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1
(the default), things are a bit more complicated : some iptables chains
are called from the bridge and interleaved with ebtables chains, and
won't be called from the IP layer. This is shown on the diagram in the
article about netfilter/iptables at Wikipedia. The purpose is to allow
to use iptables capabilities on purely bridged IP traffic.
> Now I want to do a test, which modifies the destination mac address of
> a frame before sending it. Therefore, the frame will be forwarded to
> another destination instead of the real destination, while its
> destination ip address is still the real destination ip address. In
> this case, when the frame arrive at pseudo destination machine, will
> it be transfered to lay-3 of the system?
Yes.
> If it is transfered to lay-3
> of the system, the system will find the destination ip address is not
> local ip address. What will happen next? Drop the packet? or send an
> arp request to find the real destination mac address and forward it?
It depends whether the machine acts as a host or a router. If it acts as
a host, it will discard the packet. If it acts as a router, it will try
to forward the packet to the next hop (which may not be the final
destination) according to its routing table. It will send an ARP request
only if it is a necessary step in order to reach the next hop.
prev parent reply other threads:[~2010-11-10 9:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-09 18:56 How to transfer a IP packet based on ebtables and iptables? Sumin Xia
2010-11-09 22:30 ` Angel Inkov
2010-11-10 9:09 ` Pascal Hambourg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CDA6132.5040001@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
--cc=xiasumin1984@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox