Linux Ethernet Bridging - Dec 2009 - [Bridge] ebtables, PF_PACKET and other stuff

Hi there !
I have been looking to the ebtables website, and in particular to the
flowchart :
http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png

I am trying to have the following behaviour :
On eth0, I have several types of frames, IP, 802.1Q and other things.
I would like to have other things forwarded directly to eth1, and I
would like to analyse the IP and 802.1Q frames.
I mean : I don't want to see the frames in my local process.

I have done the following :
- Creating a bridge between eth0 and eth1, no stp.
- ebtables -t broute -A BROUTING -p IPv4 -j DROP
- ebtables -t broute -A BROUTING -p 802.1q -j DROP

This seems to work, as no IP nor VLAN frames are going out from eth1.
Then, my question is : How can I "listen" to eth0, in order to get the
complete frames (I need all the ethernet frames when IP or 802.1Q). I
thought about something like a PF_PACKET, but I am not sure if I need
to be in promiscuous mode or not...

I did some tries, but nothing worked, so I prefer asking :-).
Thanks in advance !
Best Regards,
JM

On Wed, Dec 23, 2009 at 3:02 AM, Jean-Michel Hautbois
<jhautbois at gmail.com> wrote:
> Hi there !
> I have been looking to the ebtables website, and in particular to the
> flowchart :
> http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
>
> I am trying to have the following behaviour :
> On eth0, I have several types of frames, IP, 802.1Q and other things.
> I would like to have other things forwarded directly to eth1, and I
> would like to analyse the IP and 802.1Q frames.
> I mean : I don't want to see the frames in my local process.
>
> I have done the following :
> - Creating a bridge between eth0 and eth1, no stp.
> - ebtables -t broute -A BROUTING -p IPv4 -j DROP
> - ebtables -t broute -A BROUTING -p 802.1q -j DROP
>
> This seems to work, as no IP nor VLAN frames are going out from eth1.
> Then, my question is : How can I "listen" to eth0, in order to
get the
> complete frames (I need all the ethernet frames when IP or 802.1Q). I
> thought about something like a PF_PACKET, but I am not sure if I need
> to be in promiscuous mode or not...
>
> I did some tries, but nothing worked, so I prefer asking :-).
Send those packets to the ULOG target when dropping them.

> Send those packets to the ULOG target when dropping them.

>  From the ebtables manpage:

> ulog

> The ulog watcher passes the packet to a userspace logging daemon using
> netlink multicast sockets. This differs from the log watcher in the
> sense that the complete packet is sent to userspace instead of a
> descriptive text and that netlink multicast sockets are used instead
> of the syslog. This watcher enables parsing of packets with userspace
> programs
> (snip)
Mmh, ok, but from the userspace point of view, how can I get them ? A  
SOCK_RAW ?

JM
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.linux-foundation.org/pipermail/bridge/attachments/20091223/a20226f7/attachment.htm

jhautbois at gmail.com schreef:
>> Send those packets to the ULOG target when dropping them.
>
>
>
>>  From the ebtables manpage:
>
>
>
>> ulog
>
>
>
>> The ulog watcher passes the packet to a userspace logging daemon using
>
>> netlink multicast sockets. This differs from the log watcher in the
>
>> sense that the complete packet is sent to userspace instead of a
>
>> descriptive text and that netlink multicast sockets are used instead
>
>> of the syslog. This watcher enables parsing of packets with userspace
>
>> programs
>
>> (snip)
>
> Mmh, ok, but from the userspace point of view, how can I get them ? A
> SOCK_RAW ?
>
See http://ebtables.sourceforge.net/examples/basic.html#ex_ulog

cheers,
Bart

-- 
Bart De Schuymer
www.artinalgorithms.be

Hi there, and my best wishes for this new year !
>> Mmh, ok, but from the userspace point of view, how can I get them ? A
>> SOCK_RAW ?
>>
> See http://ebtables.sourceforge.net/examples/basic.html#ex_ulog
>
> cheers,
> Bart
Thanks for your reply, but it is not exactly what I am looking for...
I have two rules, that enable the bridging between two of my
interfaces. When I receive IP or VLAN, these packets are droped by the
broute table.
I tried to add the rule :
ebtables -A FORWARD --ulog-nlgroup 5 -j DROP

But it seems  to send me all packets, when I am listening with a
netlink socket...
I have for example an interface connected the internet, that receives
packets, and these packets are received by my netlink socket...
I think I have to tell the Forward rule that I only want the packets
from my eth2 interface (which is the one where I receive my VLAN
packets) ?

Thanks again.
Best Regards,
JM

I will correct myself : I had an error in my socket creation...
This is correctly working, the test_ulog example is easy to
understand, and very useful.

Thanks again !
Best Regards,
JM