All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Hemminger <shemminger@vyatta.com>
To: "Greg Scott" <GregScott@Infrasupport.com>
Cc: <netdev@vger.kernel.org>,
	"Lynn Hanson" <LynnHanson@eaganhills.org>,
	"Joe Whalen" <JoeWhalen@eaganhills.org>
Subject: Re: Bridging behavior apparently changed around the Fedora 14 time
Date: Mon, 11 Jul 2011 14:24:49 -0700	[thread overview]
Message-ID: <20110711142449.1f957af5@nehalam.ftrdhcpuser.net> (raw)
In-Reply-To: <925A849792280C4E80C5461017A4B8A2A040F7@mail733.InfraSupportEtc.com>

On Mon, 11 Jul 2011 16:16:40 -0500
"Greg Scott" <GregScott@Infrasupport.com> wrote:

> > The bridge code calls dev_set_promiscuity() which should
> > be changing device mode. But it could be that netdev core is 
> > resetting/changing/breaking that.
> 
> Is it supposed to change the physical ethnn devices or the br device?

The physical device ethnn.

> Here is what I do to set up the bridging. I do it myself right in the
> script so I can control all the details.
> 
> .
> .
> .
> #
> # Setup bridging
> #
> 
> echo "Setting up bridge $BR_IFACE to bridge $INET_IFACE with
> $TRUSTED1_IFACE"
> 
> $BRCTL addbr $BR_IFACE
> $BRCTL addif $BR_IFACE $INET_IFACE
> $BRCTL addif $BR_IFACE $TRUSTED1_IFACE
> 
> echo "  Adding $BR_IP_SLASH and $TRUSTED1_IP_SLASH IP Addresses to
> $BR_IFACE"
> /sbin/ip addr add $BR_IP_SLASH broadcast $BR_BCAST_ADDRESS dev $BR_IFACE
> /sbin/ip addr add $TRUSTED1_IP_SLASH broadcast $TRUSTED1_BCAST_ADDRESS
> dev $BR_IFACE
> /sbin/ip link set $BR_IFACE up
> 
> echo "  Removing $INET_IP_SLASH and $TRUSTED1_IP_SLASH from $INET_IFACE
> and $TRUSTED1_IFACE"
> /sbin/ip addr del $INET_IP_SLASH dev $INET_IFACE
> /sbin/ip addr del $INET_IP_SLASH dev $INET_IFACE
> /sbin/ip addr del $TRUSTED1_IP_SLASH dev $TRUSTED1_IFACE
> /sbin/ip addr del $TRUSTED1_IP_SLASH dev $TRUSTED1_IFACE
> 
> echo "  Putting $BR_IFACE into promiscuous mode"
> # This fixes a bug forwarding packets bound for external IP Addresses
> # from the private LAN.
> 
> ip link set $BR_IFACE promisc on
> 

What is supposed to happen is that the bridge adds all the interface
MAC addresses to the forwarding table as permanent entries. To show the
forwarding table:
  # brctl showmacs br0

port no	mac addr		is local?	ageing timer
  1	c6:eb:2a:0c:12:eb	yes		   0.00

Then when packet arrives with that mac address it is handed up to
netfilter, then if not firewalled, it goes on to the IP stack.

There maybe protections against packet going back out the same interface
that are getting tripped by all the rewriting.




  reply	other threads:[~2011-07-11 21:24 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-11 18:25 Bridging behavior apparently changed around the Fedora 14 time Greg Scott
2011-07-11 20:07 ` Stephen Hemminger
2011-07-11 20:41   ` Greg Scott
2011-07-11 20:49     ` Stephen Hemminger
2011-07-11 21:08       ` Greg Scott
2011-07-11 21:10         ` Stephen Hemminger
2011-07-11 21:16           ` Ben Greear
2011-07-12  3:06             ` Greg Scott
2011-07-11 21:16           ` Greg Scott
2011-07-11 21:24             ` Stephen Hemminger [this message]
2011-07-12  0:02         ` David Lamparter
2011-07-12  2:38           ` Greg Scott
2011-07-12  3:39             ` David Lamparter
2011-07-12 14:30               ` Greg Scott
2011-07-12 14:54                 ` David Lamparter
2011-07-12 16:28                   ` Greg Scott
2011-07-21  4:40                     ` Greg Scott
2011-07-21 15:01                       ` Greg Scott
     [not found]                       ` <925A849792280C4E80C5461017A4B8A2A0413A@mail733.InfraSupportE tc.com>
2011-07-22  4:39                         ` Greg Scott
2011-07-22  6:20                           ` Greg Scott
2011-09-15 22:48                             ` Very confused about broute DROP Greg Scott
2011-09-15 23:08                               ` Christian Benvenuti (benve)
2011-09-16  3:19                                 ` Greg Scott
2011-09-16  4:23                                   ` Christian Benvenuti (benve)
2011-09-16 14:55                                     ` Greg Scott
2011-09-18  1:47                                       ` Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110711142449.1f957af5@nehalam.ftrdhcpuser.net \
    --to=shemminger@vyatta.com \
    --cc=GregScott@Infrasupport.com \
    --cc=JoeWhalen@eaganhills.org \
    --cc=LynnHanson@eaganhills.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.