Hi!
If I create the following setup:
66.8.28.52/29 66.8.28.51/29
+------+ +------+
| PC A |------+ +---------| PC B |
+------+ | | +------+
| |
eth1| | eth0
+-----+
| qos | (br0 = 66.8.28.49/29)
+-----+
PC A is connected to qos via crossover cable and PC B and qos is plugged
into same switch. So even though everything is on the same network, traffic
has to go through qos when PC A talks to PC B.
Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT,
FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle
tables - i.e. netfilter don''t see any traffic flowing through the
machine.
Why is this? How do I match this traffic using netfilter? I can''t use
ebtables because I have to match traffic in the mangle table if I want to
use it in conjunction with tc.
--
Regards
Abraham
By the yard, life is hard.
By the inch, it''s a cinch.
___________________________________________________
Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
P.O. Box 3472, Matieland, Stellenbosch, 7602
Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
Email: abz@frogfoot.net
It sounds like you are running bridging with the netfilter hooks. See the section at the bottom of the page on bridging + firewalling (really netfilter hooks): http://bridge.sourceforge.net/download.html And of course, the newest patches here: http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html Are you running a kernel with support for bridge+nf (as it is known)? -Martin : If I create the following setup: : : : : 66.8.28.52/29 66.8.28.51/29 : +------+ +------+ : | PC A |------+ +---------| PC B | : +------+ | | +------+ : | | : eth1| | eth0 : +-----+ : | qos | (br0 = 66.8.28.49/29) : +-----+ : : PC A is connected to qos via crossover cable and PC B and qos is plugged : into same switch. So even though everything is on the same network, traffic : has to go through qos when PC A talks to PC B. : : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT, : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle : tables - i.e. netfilter don''t see any traffic flowing through the machine. : : Why is this? How do I match this traffic using netfilter? I can''t use : ebtables because I have to match traffic in the mangle table if I want to : use it in conjunction with tc. : : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Martin!
No, I''m not running with ebtables+nf support. From what I understand
(and
please correct me if I''m wrong), patching the kernel with
ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, and
NAT chains which you can match traffic on.
However, I need to match traffic in the mangles table, so the ebtables table
won''t help me.
Some questions:
(a) If I add the bridge-nf + ebtables patches, will I be able to match
traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table?
(b) Why does netfilter not currently see the traffic even though a tcpdump
on eth0/eth1 shows all the traffic passing through the interfaces?
> It sounds like you are running bridging with the netfilter hooks.
>
> See the section at the bottom of the page on bridging + firewalling
> (really netfilter hooks):
>
> http://bridge.sourceforge.net/download.html
>
> And of course, the newest patches here:
>
> http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html
>
> Are you running a kernel with support for bridge+nf (as it is known)?
>
> -Martin
>
> : If I create the following setup:
> :
> :
> :
> : 66.8.28.52/29 66.8.28.51/29
> : +------+ +------+
> : | PC A |------+ +---------| PC B |
> : +------+ | | +------+
> : | |
> : eth1| | eth0
> : +-----+
> : | qos | (br0 = 66.8.28.49/29)
> : +-----+
> :
> : PC A is connected to qos via crossover cable and PC B and qos is plugged
> : into same switch. So even though everything is on the same network,
traffic
> : has to go through qos when PC A talks to PC B.
> :
> : Now, if PC A ping PC B, then my packet counters on the PREROUTING,
INPUT,
> : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and
mangle
> : tables - i.e. netfilter don''t see any traffic flowing through
the machine.
> :
> : Why is this? How do I match this traffic using netfilter? I
can''t use
> : ebtables because I have to match traffic in the mangle table if I want
to
> : use it in conjunction with tc.
> :
> :
--
Regards
Abraham
I''m telling you that the kernel is stable not because it''s a
kernel,
but because I refuse to listen to arguments like this.
-- Linus Torvalds
___________________________________________________
Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
P.O. Box 3472, Matieland, Stellenbosch, 7602
Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
Email: abz@frogfoot.net
<bill-the-cat-sound> Ack! I meant to say: "It sounds like you are running bridging without the netfilter hooks." But, of course, you understood what I meant. : No, I''m not running with ebtables+nf support. From what I understand : (and please correct me if I''m wrong), patching the kernel with : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, : and NAT chains which you can match traffic on. : : However, I need to match traffic in the mangles table, so the ebtables : table won''t help me. In order for you to be able to use iptables *at all* with the bridging code, you need the bridge+nf patch(es). : (a) If I add the bridge-nf + ebtables patches, will I be able to match : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? Good question. I haven''t used the OUTPUT and POSTROUTING chains, but I have used the FORWARD chain on a bridge+nf installation. I think the link you forwarded to this list earlier today [1] shows the sequence of netfilter hook traversal, but assumes that you are running bridge+nf. : (b) Why does netfilter not currently see the traffic even though a tcpdump : on eth0/eth1 shows all the traffic passing through the interfaces? See above.... -Martin [1] http://www.sparkle-cc.co.uk/firewall/firewall.html -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Martin!> : No, I''m not running with ebtables+nf support. From what I understand > : (and please correct me if I''m wrong), patching the kernel with > : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, > : and NAT chains which you can match traffic on. > : > : However, I need to match traffic in the mangles table, so the ebtables > : table won''t help me. > > In order for you to be able to use iptables *at all* with the bridging > code, you need the bridge+nf patch(es).Ah ok. Which patch should I use (http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff or http://users.pandora.be/bart.de.schuymer/ebtables/br-nf/bridge-nf-0.0.10-against-2.4.20.diff) I''ve used the latter with 2.4.21pre5, but it seems as if the first one was created for iptables and the latter for ebtables - is that correct or can I use both? I''ll test it now with the new one anyway and see if I can match packets in the mangle table. -- Regards Abraham Heller''s Law: The first myth of management is that it exists. Johnson''s Corollary: Nobody really knows what is going on anywhere within the organization. ___________________________________________________ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net
Hi Martin! I just applied the bridge-nf and ebtables patches and tried it and I can match packets in the mangle table as usual (also have to use FORWARD for packets passing through the machine).> <bill-the-cat-sound> Ack! I meant to say: > > "It sounds like you are running bridging without the netfilter hooks." > > But, of course, you understood what I meant. > > : No, I''m not running with ebtables+nf support. From what I understand > : (and please correct me if I''m wrong), patching the kernel with > : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, > : and NAT chains which you can match traffic on. > : > : However, I need to match traffic in the mangles table, so the ebtables > : table won''t help me. > > In order for you to be able to use iptables *at all* with the bridging > code, you need the bridge+nf patch(es). > > : (a) If I add the bridge-nf + ebtables patches, will I be able to match > : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? > > Good question. I haven''t used the OUTPUT and POSTROUTING chains, but I > have used the FORWARD chain on a bridge+nf installation. I think the link > you forwarded to this list earlier today [1] shows the sequence of > netfilter hook traversal, but assumes that you are running bridge+nf. > > : (b) Why does netfilter not currently see the traffic even though a tcpdump > : on eth0/eth1 shows all the traffic passing through the interfaces? > > See above.... > > -Martin > > [1] http://www.sparkle-cc.co.uk/firewall/firewall.html-- Regards Abraham It is more rational to sacrifice one life than six. -- Spock, "The Galileo Seven", stardate 2822.3 ___________________________________________________ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net