Here are some notes I have about Linux bridging. I'll try to separate
what I know I know from what I think I know.
Let's say I want to bridge eth0, eth1, and eth2 together, all with an IP
Address of, say, 1.2.3.2. This is how to do it:
echo "Setting up br0 to bridge eth0 with eth1 and eth2"
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/usr/sbin/brctl addif br0 eth2
/sbin/ip addr add 1.2.3.2/24 dev br0
/sbin/ip link set br0 up
Continuing with the above example, most of the writeups also say to
remove any IP Addresses from eth0, eth1, and eth2. But I've found this
doesn't seem necessary - well, sort of.
Let's say that eth0 is at IP Address 1.2.3.2, and now I bridge eth0,
eth1, and eth2 together and give bridge br0 the same IP Address of
1.2.3.2. Now I have a mess because both eth0 and br0 have the same IP
Address. Doing this:
ip addr del 1.2.3.2/24 dev eth0
cleans up the mess.
But let's say that physical interface eth1 has IP Address 10.0.0.1.
>From testing, it looks like other systems can ping 10.0.0.1 just fine,
assuming they have a route to it. So I **think** I know that I can
assign an IP Address to a raw interface, as long as it's a different IP
Address than what I assigned to the overall bridge. But I haven't seen
this capability documented anywhere.
Let's say the bridge is up and working at IP Address 1.2.3.2. I have a
system at IP Address 1.2.3.1 connected via eth0. That system can ping
1.2.3.2 easily. If I disconnect the Ethernet cable from eth0 and plug
into eth1 or eth2, after about 30 seconds, that bridged system begins
answering pings again. As indicated in the writeups, that spare PC with
a bunch of NICs is now acting like a managed Ethernet switch. Cool!
Filtering
iptables is a super-sophisticated toolset to filter IP packets.
ebtables is another toolset to filter at the OSI layer 2 (datalink)
layer. iptables concerns itself (mostly) with routing across an IP
network, computer to computer. ebtables concerns itself (mostly) with
filtering packets across physical NIC interfaces in the same computer.
Here is a great writeup on using ebtables and iptables together:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
But - like everything I've been able to find so far, I don't think this
writeup is completely accurate.
iptables has a module called physdev. According to the writeup, I can
use the iptables physdev module to filter among the raw interfaces in a
bridge. But a discussion in the netfilter list essentially says that
physdev is being removed because it creates all kinds of other problems.
At least, I think that's what it says. The relevant discussion took
place in early July 2006. Here is a pointer to the beginning of the
discussion:
https://lists.netfilter.org/pipermail/netfilter-devel/2006-July/024896.h
tml
So it looks like when filtering at the network layer, (IP in this case)
use iptables. When filtering at the data link layer, use ebtables and
maybe arptables. Avoid using -m physdev in iptables because it's going
away. You can add IP Addresses to bridged eth-- interfaces as long as
they don't conflict with the bridge IP Address(es).
Next up will be to try some filtering scenarios with ebtables and
iptables.
- Greg Scott
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
