Fwd: Need guidance in - dropping incoming packets to a interface in a bridged network.

Fwd: Need guidance in - dropping incoming packets to a interface in a bridged network.

[namus]

Hi Team,

My device contains 2 ethernet interfaces(eth1 and eth2)  added to
bridge interface(br0)
I am trying to DROP all the packets to eth1 interface based on some
user-condition .
and I am new to netlink programming apis.


I did get past thru :
drv->nf_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
getsockopt(drv->nf_sock,IPPROTO_IP,IPT_SO_GET_INFO,&info,&nf_sock_len)
getsockopt(drv->nf_sock, IPPROTO_IP, IPT_SO_GET_ENTRIES, &entries,&tmp)


now I am struck in finding exact match in those entries , replacing it
with DROP rule and commit the (DROP) rule .
Could you please help me in this ?

Also I tried to get the debug : /tmp/libiptc-so_get_entries.blob file
can you please suggest me (with od / hexdump/.. tool) command to view
the details in that file.


or any other approach to solve ..from here .. ?

More info:

I am using linux kernel 2.6.31 and
iptables 1.4.9.1
ebtables 2.0.6
libnfnetlink-1.0.0
libnl2  libraries


I am confused whether to use socket-based or to include libiptc in my
code to invoke functions.. whichever way would be suitable for my
implementation , could you
please point me in that direction?


Following commands do not work:

iptables -t filter -I INPUT -i eth2 -j DROP (doesn't drop any packets
- checked via tcpdump of eth2 )
iptables -t filter -I FORWARD -i eth2 -j DROP (doesn't drop any
packets - checked via tcpdump of eth2 )

whereas following commands work:

iptables -t filter -I INPUT  -j DROP (does work .. cant see any
packets flowing thru )
iptables -t filter -I FORWARD -j DROP (does work .. cant see any
packets flowing thru)


iptables -t filter -I INPUT -i br0 -j DROP (does work .. cant see any
packets flowing thru )
iptables -t filter -I FORWARD -i br0 -j DROP (does work .. cant see
any packets flowing thru)

I hope bridging is playing a role in dropping the packets here.

Your help will be greatly appreciated .
Thanks in Advance,
Suman.

Re: Fwd: Need guidance in - dropping incoming packets to a interface in a bridged network.

[Pascal Hambourg]

Le 25/07/2016 à 12:37, namus a écrit :
> Hi Team,
>
> My device contains 2 ethernet interfaces(eth1 and eth2)  added to
> bridge interface(br0)
> I am trying to DROP all the packets to eth1 interface based on some
> user-condition .
(...)
> Following commands do not work:
>
> iptables -t filter -I INPUT -i eth2 -j DROP (doesn't drop any packets
> - checked via tcpdump of eth2 )

Check the "physdev" match.

Re: Fwd: Need guidance in - dropping incoming packets to a interface in a bridged network.

[namus]

Hi Pascal,

Your suggestion has worked ..

$iptables -t filter  -I FORWARD  -m physdev --physdev-in eth2  -j DROP
(works ie.,  drops the incoming packets )

$iptables -t filter  -D FORWARD  -m physdev --physdev-in eth2  -j DROP
(undo / del the previous rule .. allows incoming  packets)

Could you please guide me .. How to send the (DROP) message via
setting the socket options (programmatically) ..
ie., in filling-up the ipt_replace/xt_entry_match/xt_entry_target
structure data structure / could you please point me to any simple
example of "physdev" match case .


Thanks a lot ,
Suman.

On Mon, Jul 25, 2016 at 9:07 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Le 25/07/2016 à 12:37, namus a écrit :
>>
>> Hi Team,
>>
>> My device contains 2 ethernet interfaces(eth1 and eth2)  added to
>> bridge interface(br0)
>> I am trying to DROP all the packets to eth1 interface based on some
>> user-condition .
>
> (...)
>>
>> Following commands do not work:
>>
>> iptables -t filter -I INPUT -i eth2 -j DROP (doesn't drop any packets
>> - checked via tcpdump of eth2 )
>
>
> Check the "physdev" match.
>