bugzilla-daemon@bugzilla.netfilter.org
2007-May-26 18:23 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From kaber@trash.net 2007-05-26 18:23 MET -------
That because, as for any other device, the packet hasn't been routed yet and
the
output device is thus unknown.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-26 18:23 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From kaber@trash.net 2007-05-26 18:23 MET -------
That because, as for any other device, the packet hasn't been routed yet and
the
output device is thus unknown.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-26 21:45 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
rolf.fokkens@wanadoo.nl changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From rolf.fokkens@wanadoo.nl 2007-05-26 21:45 MET
-------
I'm not talking about the OUTPUT device, I mean the INPUT device.
It says "IN=br1", not "IN=br1.25". As you can see it DOES
say "IN=br1.25" in the
FORWARD chain. So there's an interesting difference between the FORWARD and
the
PREROUTING chain.
Actualy: in the PREROUTING chain the WRONG device is reported, which seems te be
the case for VLAN devices as it reports the physical device instead of the VLAN
device.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 13:38 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge@netfilter.org |bdschuym@pandora.be
Status|REOPENED |NEW
------- Additional Comments From kaber@trash.net 2007-05-27 13:38 MET -------
You're right, sorry.
Thats a result of how the bridge netfilter code is glues to IPv4 netfilter,
it has a lot of complicated logic to choose the devices. This looks wrong
obviously, Bart?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 13:38 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge@netfilter.org |bdschuym@pandora.be
Status|REOPENED |NEW
------- Additional Comments From kaber@trash.net 2007-05-27 13:38 MET -------
You're right, sorry.
Thats a result of how the bridge netfilter code is glues to IPv4 netfilter,
it has a lot of complicated logic to choose the devices. This looks wrong
obviously, Bart?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 13:38 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge@netfilter.org |bdschuym@pandora.be
Status|REOPENED |NEW
------- Additional Comments From kaber@trash.net 2007-05-27 13:38 MET -------
You're right, sorry.
Thats a result of how the bridge netfilter code is glues to IPv4 netfilter,
it has a lot of complicated logic to choose the devices. This looks wrong
obviously, Bart?
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 17:59 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570
bdschuym@pandora.be changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From bdschuym@pandora.be 2007-05-27 17:59 MET
-------
This behaviour is caused by the way the networking code works:
a bridge isn't a vlan-enabled device, the device br1.25 just sits on top of
the
bridge device.
This results in the fact that as long as the incoming packet is handled by the
bridge code, iptables sees the in-dev as br1. If the packet is forwarded and not
routed, you'll see br1 instead of br1.25 in the iptables FORWARD chains.
It's only when the packet actually gets routed or when it's destined for
the
bridge box itself that the in-dev becomes br1.25.
If you want to use vlan devices in the PREROUTING chains for traffic received by
a bridge, you can make eth1.25 and add eth1.25 to br0 and then use the physdev
module.
cheers,
Bart
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 20:16 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From kaber@trash.net 2007-05-27 20:16 MET ------- It seems a bit odd to have different devices in PREROUTING and FORWARD for the same packet, but then again, it doesn't seem to make very much sense to hand the packet to IPv4 netfilter from the bridge code for _a locally configured_ VLAN since you can just as well receive it properly through the VLAN device and have it forwarded from there. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 20:16 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From kaber@trash.net 2007-05-27 20:16 MET ------- It seems a bit odd to have different devices in PREROUTING and FORWARD for the same packet, but then again, it doesn't seem to make very much sense to hand the packet to IPv4 netfilter from the bridge code for _a locally configured_ VLAN since you can just as well receive it properly through the VLAN device and have it forwarded from there. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 20:52 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From bdschuym@pandora.be 2007-05-27 20:52 MET ------- I guess it seems odd and I must admit I was confused myself at first, but the physdev match option physdev-is-bridged is there if you want to know if you should use br1 or br1.25 in the specific firewall rule. It is logical, at least to me, if you know how the vlan-specific networking is implemented. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 21:00 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From kaber@trash.net 2007-05-27 21:00 MET ------- Agreed, both PREROUTING IN=br1 and FORWARD IN=br1.25 make sense for what is happening on their own, so the combination must make sense too :) Rolf, setting /proc/net/bridge/bridge-nf-filter-vlan-tagged = 0 should do the right thing for you, the VLAN packet will go through the VLAN code and the decapsulated packet will be delivered to IP from there with IN=br1.25. Bart, I wonder how many people are aware of the sysctl controls and their default value of 1. Maybe making them available as module options as well would make them more visible? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 21:00 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From kaber@trash.net 2007-05-27 21:00 MET ------- Agreed, both PREROUTING IN=br1 and FORWARD IN=br1.25 make sense for what is happening on their own, so the combination must make sense too :) Rolf, setting /proc/net/bridge/bridge-nf-filter-vlan-tagged = 0 should do the right thing for you, the VLAN packet will go through the VLAN code and the decapsulated packet will be delivered to IP from there with IN=br1.25. Bart, I wonder how many people are aware of the sysctl controls and their default value of 1. Maybe making them available as module options as well would make them more visible? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 21:49 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From bdschuym@pandora.be 2007-05-27 21:49 MET ------- Patrick, I'm fine with that... Most networking people probably scan /proc/net and stumble on /proc/net/bridge sooner or later :) -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-27 22:33 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From rolf.fokkens@wanadoo.nl 2007-05-27 22:33 MET ------- Thanks, this does the trick. Is this well-documented? I'm not sure however if I understand this somewhat unexpected behaviour. So far I get the impression that PREROUTING has an ambiguous meaning within bridge devices. Bridge devices do some "routing" (switching is the proper term if I'm correct) on their own at the ethernet level, the term PREROUTINGS seems to apply here as well - Am I correct? One could argue that PREROUTING only applies to bridging if the packet is forwarded to another interface of the same bridge. If this is not the case, PREROUTING should be handled by the normal IP routing code. Now I suspect that one can not know in advance if PREROUTING should take place at the bridging level or the routing level as packets may be changes in de mangle table. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-May-28 12:42 UTC
[Bug 570] PREROUTING is unaware of VLAN interfaces
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 ------- Additional Comments From bdschuym@pandora.be 2007-05-28 12:42 MET ------- iptables PREROUTING before the bridge forwarding decision is used to change the IP destination address. You therefore obviously have to go through the PREROUTING chain before that bridging decision, even if it turns out afterwards the packet wasn't dnated. Of course, it's possible to redirect (at the ethernet level) the packets with ebtables, so in theory it's probably not absolutely needed to have iptables PREROUTING before the bridging decision. Statements like that usually turn out to be false in the end, but anyway it does save you a lot of delay since routing over a bridge input device means queuing the packet twice at the input side. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.