brctl & ebtables problems

brctl & ebtables problems

Post by Damir Gali » Thu, 25 Aug 2005 10:34:28



hey, I am using ebtables in combination with brctl.
it's like this:

ifconfig eth0 192.168.1.100
ifconfig eth1 192.168.0.1
brctl addbr br0
brctl stp br0 off
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 0.0.0.0 up
ebtables -t broute -P BROUTING DROP
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT

now this should work as if there was no bridge. right?
now why is tcpdump dropping all that data, when I am dropping everything
with ebtables?

I am getting all this data with:
tcpdump -i br0 -n

03:05:34.806888 0.00:50:8d:53:81:38.455 > 0.ff:ff:ff:ff:ff:ff.455:
ipx-netbios 50
03:06:21.951811 192.168.0.11.137 > 192.168.0.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
03:06:21.951985 arp who-has 192.168.0.11 tell 192.168.0.12
03:06:36.996925 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
03:06:41.606817 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
(DF) [ttl 1]
03:06:42.749076 192.168.0.11 > 239.255.255.250: igmp v2 report
239.255.255.250 [ttl 1]
03:08:42.016393 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
03:08:46.352990 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
(DF) [ttl 1]
03:08:46.453257 192.168.0.12.138 > 192.168.0.255.138: NBT UDP PACKET(138)
03:08:49.016695 192.168.0.12 > 239.255.255.250: igmp v2 report
239.255.255.250 [ttl 1]
03:09:31.128966 arp who-has 192.168.0.1 tell 192.168.0.11
03:09:31.129068 arp reply 192.168.0.1 is-at 0:40:5:a7:2f:97
03:09:49.893388 192.168.0.11.137 > 192.168.0.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST

now the problem is, bridge fails every time when I see 03:09:31.129068 arp
reply 192.168.0.1 is-at 0:40:5:a7:2f:97
Network is not responding for couple of seconds, then it starts working
normally again.
I am kinda a beginner here at this, so what could be a problem?

thanks

 
 
 

brctl & ebtables problems

Post by Llanzlan Klazmo » Thu, 25 Aug 2005 12:34:19



Quote:> hey, I am using ebtables in combination with brctl.
> it's like this:

> ifconfig eth0 192.168.1.100
> ifconfig eth1 192.168.0.1
> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig br0 0.0.0.0 up
> ebtables -t broute -P BROUTING DROP
> iptables -A INPUT -i br0 -j ACCEPT
> iptables -A FORWARD -i br0 -o br0 -j ACCEPT

> now this should work as if there was no bridge. right?
> now why is tcpdump dropping all that data, when I am dropping everything
> with ebtables?

IIRC tcpdump sees the packets before any filtering occurs. i.e it's hook is
at a lower level than the filters. If the ethernet switch port is set to
monitor mode then your PC and tcpdump will see everything passing through the
switch.

- Show quoted text -

Quote:

> I am getting all this data with:
> tcpdump -i br0 -n

> 03:05:34.806888 0.00:50:8d:53:81:38.455 > 0.ff:ff:ff:ff:ff:ff.455:
> ipx-netbios 50
> 03:06:21.951811 192.168.0.11.137 > 192.168.0.255.137: NBT UDP PACKET(137):
> QUERY; REQUEST; BROADCAST
> 03:06:21.951985 arp who-has 192.168.0.11 tell 192.168.0.12
> 03:06:36.996925 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
> 03:06:41.606817 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
> (DF) [ttl 1]
> 03:06:42.749076 192.168.0.11 > 239.255.255.250: igmp v2 report
> 239.255.255.250 [ttl 1]
> 03:08:42.016393 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
> 03:08:46.352990 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
> (DF) [ttl 1]
> 03:08:46.453257 192.168.0.12.138 > 192.168.0.255.138: NBT UDP PACKET(138)
> 03:08:49.016695 192.168.0.12 > 239.255.255.250: igmp v2 report
> 239.255.255.250 [ttl 1]
> 03:09:31.128966 arp who-has 192.168.0.1 tell 192.168.0.11
> 03:09:31.129068 arp reply 192.168.0.1 is-at 0:40:5:a7:2f:97
> 03:09:49.893388 192.168.0.11.137 > 192.168.0.255.137: NBT UDP PACKET(137):
> QUERY; REQUEST; BROADCAST

> now the problem is, bridge fails every time when I see 03:09:31.129068 arp
> reply 192.168.0.1 is-at 0:40:5:a7:2f:97
> Network is not responding for couple of seconds, then it starts working
> normally again.
> I am kinda a beginner here at this, so what could be a problem?

I don't really know but: Does MAC address 0:40:5:a7:2f:97 actually correspond
to the NIC in your PC? An ifconfig will show the MAC address as HWaddr.

Klazmon.

- Show quoted text -

Quote:

> thanks


 
 
 

brctl & ebtables problems

Post by Damir Gali » Thu, 25 Aug 2005 12:48:52


I forgot to mention this line:
$EBTABLES -t broute -A BROUTING -d 01:00:00:00:00:00/01:00:00:00:00:00 -j
ACCEPT
without this line (should be for multicast), I see nothing while doing
tcpdump -n -i br0. Even my lan network works for over 20 min now... I guess
the problem is that line. It's letting all that stuff to go through br0.
anyway after setting up bridge, macs are like this:
br0 00:40:05:A7:2F:97
eth0 00:40:05:A7:2F:97
eth1 00:50:BF:79:56:BE




>> hey, I am using ebtables in combination with brctl.
>> it's like this:

>> ifconfig eth0 192.168.1.100
>> ifconfig eth1 192.168.0.1
>> brctl addbr br0
>> brctl stp br0 off
>> brctl addif br0 eth0
>> brctl addif br0 eth1
>> ifconfig br0 0.0.0.0 up
>> ebtables -t broute -P BROUTING DROP
>> iptables -A INPUT -i br0 -j ACCEPT
>> iptables -A FORWARD -i br0 -o br0 -j ACCEPT

>> now this should work as if there was no bridge. right?
>> now why is tcpdump dropping all that data, when I am dropping everything
>> with ebtables?

> IIRC tcpdump sees the packets before any filtering occurs. i.e it's hook
> is
> at a lower level than the filters. If the ethernet switch port is set to
> monitor mode then your PC and tcpdump will see everything passing through
> the
> switch.

>> I am getting all this data with:
>> tcpdump -i br0 -n

>> 03:05:34.806888 0.00:50:8d:53:81:38.455 > 0.ff:ff:ff:ff:ff:ff.455:
>> ipx-netbios 50
>> 03:06:21.951811 192.168.0.11.137 > 192.168.0.255.137: NBT UDP
>> PACKET(137):
>> QUERY; REQUEST; BROADCAST
>> 03:06:21.951985 arp who-has 192.168.0.11 tell 192.168.0.12
>> 03:06:36.996925 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
>> 03:06:41.606817 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
>> (DF) [ttl 1]
>> 03:06:42.749076 192.168.0.11 > 239.255.255.250: igmp v2 report
>> 239.255.255.250 [ttl 1]
>> 03:08:42.016393 10.38.0.1 > 224.0.0.1: igmp query v2 [tos 0xc0]  [ttl 1]
>> 03:08:46.352990 10.38.17.104 > 225.10.10.10: igmp v2 report 225.10.10.10
>> (DF) [ttl 1]
>> 03:08:46.453257 192.168.0.12.138 > 192.168.0.255.138: NBT UDP PACKET(138)
>> 03:08:49.016695 192.168.0.12 > 239.255.255.250: igmp v2 report
>> 239.255.255.250 [ttl 1]
>> 03:09:31.128966 arp who-has 192.168.0.1 tell 192.168.0.11
>> 03:09:31.129068 arp reply 192.168.0.1 is-at 0:40:5:a7:2f:97
>> 03:09:49.893388 192.168.0.11.137 > 192.168.0.255.137: NBT UDP
>> PACKET(137):
>> QUERY; REQUEST; BROADCAST

>> now the problem is, bridge fails every time when I see 03:09:31.129068
>> arp
>> reply 192.168.0.1 is-at 0:40:5:a7:2f:97
>> Network is not responding for couple of seconds, then it starts working
>> normally again.
>> I am kinda a beginner here at this, so what could be a problem?

> I don't really know but: Does MAC address 0:40:5:a7:2f:97 actually
> correspond
> to the NIC in your PC? An ifconfig will show the MAC address as HWaddr.

> Klazmon.

>> thanks