Re: [LARTC] more bridging + qos confusion
Hi Martin! I just applied the bridge-nf and ebtables patches and tried it and I can match packets in the mangle table as usual (also have to use FORWARD for packets passing through the machine). > Ack! I meant to say: > >"It sounds like you are running bridging without the netfilter hooks." > > But, of course, you understood what I meant. > > : No, I'm not running with ebtables+nf support. From what I understand > : (and please correct me if I'm wrong), patching the kernel with > : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, > : and NAT chains which you can match traffic on. > : > : However, I need to match traffic in the mangles table, so the ebtables > : table won't help me. > > In order for you to be able to use iptables *at all* with the bridging > code, you need the bridge+nf patch(es). > > : (a) If I add the bridge-nf + ebtables patches, will I be able to match > : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? > > Good question. I haven't used the OUTPUT and POSTROUTING chains, but I > have used the FORWARD chain on a bridge+nf installation. I think the link > you forwarded to this list earlier today [1] shows the sequence of > netfilter hook traversal, but assumes that you are running bridge+nf. > > : (b) Why does netfilter not currently see the traffic even though a tcpdump > : on eth0/eth1 shows all the traffic passing through the interfaces? > > See above > > -Martin > > [1] http://www.sparkle-cc.co.uk/firewall/firewall.html -- Regards Abraham It is more rational to sacrifice one life than six. -- Spock, "The Galileo Seven", stardate 2822.3 ___ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [LARTC] more bridging + qos confusion
Hi Martin! > : No, I'm not running with ebtables+nf support. From what I understand > : (and please correct me if I'm wrong), patching the kernel with > : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, > : and NAT chains which you can match traffic on. > : > : However, I need to match traffic in the mangles table, so the ebtables > : table won't help me. > > In order for you to be able to use iptables *at all* with the bridging > code, you need the bridge+nf patch(es). Ah ok. Which patch should I use (http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff or http://users.pandora.be/bart.de.schuymer/ebtables/br-nf/bridge-nf-0.0.10-against-2.4.20.diff) I've used the latter with 2.4.21pre5, but it seems as if the first one was created for iptables and the latter for ebtables - is that correct or can I use both? I'll test it now with the new one anyway and see if I can match packets in the mangle table. -- Regards Abraham Heller's Law: The first myth of management is that it exists. Johnson's Corollary: Nobody really knows what is going on anywhere within the organization. ___ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [LARTC] more bridging + qos confusion
Ack! I meant to say: "It sounds like you are running bridging without the netfilter hooks." But, of course, you understood what I meant. : No, I'm not running with ebtables+nf support. From what I understand : (and please correct me if I'm wrong), patching the kernel with : ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, : and NAT chains which you can match traffic on. : : However, I need to match traffic in the mangles table, so the ebtables : table won't help me. In order for you to be able to use iptables *at all* with the bridging code, you need the bridge+nf patch(es). : (a) If I add the bridge-nf + ebtables patches, will I be able to match : traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? Good question. I haven't used the OUTPUT and POSTROUTING chains, but I have used the FORWARD chain on a bridge+nf installation. I think the link you forwarded to this list earlier today [1] shows the sequence of netfilter hook traversal, but assumes that you are running bridge+nf. : (b) Why does netfilter not currently see the traffic even though a tcpdump : on eth0/eth1 shows all the traffic passing through the interfaces? See above -Martin [1] http://www.sparkle-cc.co.uk/firewall/firewall.html -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] more bridging + qos confusion
Hi Martin! No, I'm not running with ebtables+nf support. From what I understand (and please correct me if I'm wrong), patching the kernel with ebtables+bridge-nf, you get an ebtables table with BROUTING, FORWARD, and NAT chains which you can match traffic on. However, I need to match traffic in the mangles table, so the ebtables table won't help me. Some questions: (a) If I add the bridge-nf + ebtables patches, will I be able to match traffic on OUTPUT/FORWARD/POSTROUTING in the mangle table? (b) Why does netfilter not currently see the traffic even though a tcpdump on eth0/eth1 shows all the traffic passing through the interfaces? > It sounds like you are running bridging with the netfilter hooks. > > See the section at the bottom of the page on bridging + firewalling > (really netfilter hooks): > > http://bridge.sourceforge.net/download.html > > And of course, the newest patches here: > > http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html > > Are you running a kernel with support for bridge+nf (as it is known)? > > -Martin > > : If I create the following setup: > : > : > : > : 66.8.28.52/2966.8.28.51/29 > : +--+ +--+ > : | PC A |--+ +-| PC B | > : +--+ | | +--+ > : | | > : eth1| | eth0 > : +-+ > : | qos | (br0 = 66.8.28.49/29) > : +-+ > : > : PC A is connected to qos via crossover cable and PC B and qos is plugged > : into same switch. So even though everything is on the same network, traffic > : has to go through qos when PC A talks to PC B. > : > : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT, > : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle > : tables - i.e. netfilter don't see any traffic flowing through the machine. > : > : Why is this? How do I match this traffic using netfilter? I can't use > : ebtables because I have to match traffic in the mangle table if I want to > : use it in conjunction with tc. > : > : -- Regards Abraham I'm telling you that the kernel is stable not because it's a kernel, but because I refuse to listen to arguments like this. -- Linus Torvalds ___ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [LARTC] more bridging + qos confusion
It sounds like you are running bridging with the netfilter hooks. See the section at the bottom of the page on bridging + firewalling (really netfilter hooks): http://bridge.sourceforge.net/download.html And of course, the newest patches here: http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html Are you running a kernel with support for bridge+nf (as it is known)? -Martin : If I create the following setup: : : : : 66.8.28.52/2966.8.28.51/29 : +--+ +--+ : | PC A |--+ +-| PC B | : +--+ | | +--+ : | | : eth1| | eth0 : +-+ : | qos | (br0 = 66.8.28.49/29) : +-+ : : PC A is connected to qos via crossover cable and PC B and qos is plugged : into same switch. So even though everything is on the same network, traffic : has to go through qos when PC A talks to PC B. : : Now, if PC A ping PC B, then my packet counters on the PREROUTING, INPUT, : FORWARD, OUTPUT, POSTROUTING chains stay the same for both filter and mangle : tables - i.e. netfilter don't see any traffic flowing through the machine. : : Why is this? How do I match this traffic using netfilter? I can't use : ebtables because I have to match traffic in the mangle table if I want to : use it in conjunction with tc. : : -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
