Hi, Tom recently helped me out with a DHCP broadcast problem on a bridge, which is fix in 2.4.1--thanks again Tom. I have three interfaces, one on the external net (eth0) and two bridged (br0) on the local net (bridging eth1 and eth2). The bridged adapter has an alias adapter running on it (br0:0 - 10.0.2.2), which is in the same subnet as adapter br0 (10.0.2.1). I also use MAC verification. When looking at the rules generated by shorewall, I noticed that the rules in the br0_mac chain for passing broadcast and multicast are duplicated because the alias is on the same subnet. -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A br0_mac -s 10.0.2.1 -d 10.0.2.7 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec -A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 -A br0_mac -j reject I fixed this in firewall by substituting the following code: ip route 2> /dev/null | grep $interface | sed ''s/ .*//;/default/d'' | while read network; do run_iptables -A $chain -s $network -d 255.255.255.255 -j $chain1 run_iptables -A $chain -s $network -d 224.0.0.0/4 -j $chain1 done which parses the source subnet from ip route and applies it once for broadcast and multicast. This gives the following: -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A br0_mac -s 10.0.2.1 -d 10.0.1.7 -j br0_rec -A br0_mac -s 10.0.2.2 -d 10.0.1.7 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 -A br0_mac -j reject I have attached a diff.
On Friday 15 July 2005 09:44, Supernaut wrote:> Hi, > > Tom recently helped me out with a DHCP broadcast problem on a bridge, > which is fix in 2.4.1--thanks again Tom. > > I have three interfaces, one on the external net (eth0) and two bridged > (br0) on the local net (bridging eth1 and eth2). The bridged adapter > has an alias adapter running on it (br0:0 - 10.0.2.2), which is in the > same subnet as adapter br0 (10.0.2.1). I also use MAC verification. > When looking at the rules generated by shorewall, I noticed that the > rules in the br0_mac chain for passing broadcast and multicast are > duplicated because the alias is on the same subnet. > > -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j > br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m > physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac > --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A > br0_mac -s 10.0.2.1 -d 10.0.2.7 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec > -A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec > -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 > -A br0_mac -j reject > > I fixed this in firewall by substituting the following code: > > ip route 2> /dev/null | grep $interface | sed ''s/ .*//;/default/d'' > | while read network; do run_iptables -A $chain -s $network -d > 255.255.255.255 -j $chain1 run_iptables -A $chain -s $network -d > 224.0.0.0/4 -j $chain1 done > > which parses the source subnet from ip route and applies it once for > broadcast and multicast.Actually, it is parsing the DESTINATION subnet.> This gives the following: > > -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j > br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m > physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac > --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A > br0_mac -s 10.0.2.1 -d 10.0.1.7 -j br0_rec > -A br0_mac -s 10.0.2.2 -d 10.0.1.7 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec > -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 > -A br0_mac -j reject > > I have attached a diff.I think that the attached patch is more to the point. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Actually, it is parsing the DESTINATION subnet.Quite right!> > This gives the following: > > > > -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j > > br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m > > physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac > > --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A > > br0_mac -s 10.0.2.1 -d 10.0.1.7 -j br0_rec > > -A br0_mac -s 10.0.2.2 -d 10.0.1.7 -j br0_rec > > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 255.255.255.255 -j br0_rec > > -A br0_mac -s 10.0.2.0/255.255.255.248 -d 224.0.0.0/240.0.0.0 -j br0_rec > > -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 > > -A br0_mac -j reject > > > > I have attached a diff. > > I think that the attached patch is more to the point. >Patch applied and here is the result: -A br0_mac -s 10.0.2.1 -d 10.0.1.7 -j br0_rec -A br0_mac -s 10.0.2.1 -d 255.255.255.255 -j br0_rec -A br0_mac -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j br0_rec -A br0_mac -s 10.0.2.2 -d 10.0.1.7 -j br0_rec -A br0_mac -s 10.0.2.2 -d 255.255.255.255 -j br0_rec -A br0_mac -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j br0_rec -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 -A br0_mac -j reject I see now. I had it in my head that we had to allow all broadcast and multicast for the subnet in br0_mac. Thanks Neil ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click