All of lore.kernel.org
 help / color / mirror / Atom feed
* postrouting and mac address
@ 2009-07-21 12:05 Fabio Marcone
  2009-07-21 12:20 ` Julien Vehent
  0 siblings, 1 reply; 8+ messages in thread
From: Fabio Marcone @ 2009-07-21 12:05 UTC (permalink / raw)
  To: netfilter

Hi!
I have a router linux and I need to filter packets in postrouting chain 
using source mac address. But... in postrouting chain, what is source 
mac address? mac address of effective source of the packet or router 
interface mac address ?

Thanks in advance,
Fabio

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 12:05 postrouting and mac address Fabio Marcone
@ 2009-07-21 12:20 ` Julien Vehent
  2009-07-21 13:10   ` Fabio Marcone
  0 siblings, 1 reply; 8+ messages in thread
From: Julien Vehent @ 2009-07-21 12:20 UTC (permalink / raw)
  To: Fabio Marcone; +Cc: netfilter

On Tue, 21 Jul 2009 14:05:43 +0200, Fabio Marcone <fabio.marcone@duet.it>
wrote:
> Hi!
> I have a router linux and I need to filter packets in postrouting chain 
> using source mac address. But... in postrouting chain, what is source 
> mac address? mac address of effective source of the packet or router 
> interface mac address ?
> 
> Thanks in advance,
> Fabio

Hi Fabio,

I don't think you can filter packets in postrouting.
The only tables available in POSTROUTING are mangle and nat.

To filter packets in a router, I think you have to do it in the FORWARD
chain.

see: http://jengelh.medozas.de/images/nf-packet-flow.png

Julien

-- 
julien
http://jve.linuxwall.info/blog


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 12:20 ` Julien Vehent
@ 2009-07-21 13:10   ` Fabio Marcone
  2009-07-21 13:24     ` Fabio Marcone
  2009-07-21 13:30     ` Pascal Hambourg
  0 siblings, 2 replies; 8+ messages in thread
From: Fabio Marcone @ 2009-07-21 13:10 UTC (permalink / raw)
  To: netfilter

Hi!
there was a misunderstanding: "filter" I mean "recognize". I don't want 
to drop packets in postrouting, I know it is impossible, but I need to 
recognize in postrouting packet of a certain source (by mac address, not 
by ip).

I don't know when packets source mac address is modified by router.

Thanks,
Fabio
> Hi Fabio,
>
> I don't think you can filter packets in postrouting.
> The only tables available in POSTROUTING are mangle and nat.
>
> To filter packets in a router, I think you have to do it in the FORWARD
> chain.
>
> see: http://jengelh.medozas.de/images/nf-packet-flow.png
>
> Julien
>
>   


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 13:10   ` Fabio Marcone
@ 2009-07-21 13:24     ` Fabio Marcone
  2009-07-21 13:30     ` Pascal Hambourg
  1 sibling, 0 replies; 8+ messages in thread
From: Fabio Marcone @ 2009-07-21 13:24 UTC (permalink / raw)
  To: netfilter

I tried to add this debug rule:
iptables -t mangle -A POSTROUTING -o eth0 -m mac --mac-source 
00:e0:7d:ec:96:1b -j LOG --log-prefix "POST_MAC "

but I got this error:
ip_tables: mac match: bad hook_mask 0x10/0x7

so I can't recognize packets by mac source in postrouting chain, isn't it?

Fabio


Fabio Marcone wrote:
> Hi!
> there was a misunderstanding: "filter" I mean "recognize". I don't 
> want to drop packets in postrouting, I know it is impossible, but I 
> need to recognize in postrouting packet of a certain source (by mac 
> address, not by ip).
>
> I don't know when packets source mac address is modified by router.
>
> Thanks,
> Fabio


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 13:10   ` Fabio Marcone
  2009-07-21 13:24     ` Fabio Marcone
@ 2009-07-21 13:30     ` Pascal Hambourg
  2009-07-21 13:36       ` Fabio Marcone
  1 sibling, 1 reply; 8+ messages in thread
From: Pascal Hambourg @ 2009-07-21 13:30 UTC (permalink / raw)
  To: netfilter

Hello,

Fabio Marcone a écrit :
> Hi!
> there was a misunderstanding: "filter" I mean "recognize". I don't want 
> to drop packets in postrouting, I know it is impossible,

It is possible (DROP exists in all tables), but should not be done.

> but I need to 
> recognize in postrouting packet of a certain source (by mac address, not 
> by ip).

Can't you MARK packets in earlier chains (PREROUTING or FORWARD) and use 
the mark in POSTROUTING ?



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 13:30     ` Pascal Hambourg
@ 2009-07-21 13:36       ` Fabio Marcone
  2009-07-21 13:53         ` Gáspár Lajos
  2009-07-21 13:59         ` Pascal Hambourg
  0 siblings, 2 replies; 8+ messages in thread
From: Fabio Marcone @ 2009-07-21 13:36 UTC (permalink / raw)
  To: netfilter


>
> It is possible (DROP exists in all tables), but should not be done.
I know that drop is only in INPUT, FORWARD and OUTPUT chain...

> Can't you MARK packets in earlier chains (PREROUTING or FORWARD) and 
> use the mark in POSTROUTING ?

perhaps it is the only solution but I would to recognize packets in 
POSTROUTING to send them in a IMQ virtual interface.

Fabio

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 13:36       ` Fabio Marcone
@ 2009-07-21 13:53         ` Gáspár Lajos
  2009-07-21 13:59         ` Pascal Hambourg
  1 sibling, 0 replies; 8+ messages in thread
From: Gáspár Lajos @ 2009-07-21 13:53 UTC (permalink / raw)
  To: Fabio Marcone; +Cc: netfilter

Fabio Marcone írta:
> perhaps it is the only solution but I would to recognize packets in 
> POSTROUTING to send them in a IMQ virtual interface.
Or maybe you can tell us what you really want...
I mean: What is the purpose of logging by mac in the POSTROUTING chain?

Swifty

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: postrouting and mac address
  2009-07-21 13:36       ` Fabio Marcone
  2009-07-21 13:53         ` Gáspár Lajos
@ 2009-07-21 13:59         ` Pascal Hambourg
  1 sibling, 0 replies; 8+ messages in thread
From: Pascal Hambourg @ 2009-07-21 13:59 UTC (permalink / raw)
  Cc: netfilter

Fabio Marcone a écrit :
> 
>> It is possible (DROP exists in all tables), but should not be done.
> I know that drop is only in INPUT, FORWARD and OUTPUT chain...

This is not quite correct. DROP is available in all tables and chains. 
However the "orthodoxy" is to do filtering only in the 'filter' table.

>> Can't you MARK packets in earlier chains (PREROUTING or FORWARD) and 
>> use the mark in POSTROUTING ?
> 
> perhaps it is the only solution but I would to recognize packets in 
> POSTROUTING to send them in a IMQ virtual interface.

What is the problem in using a mark to do this ?



^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2009-07-21 13:59 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-07-21 12:05 postrouting and mac address Fabio Marcone
2009-07-21 12:20 ` Julien Vehent
2009-07-21 13:10   ` Fabio Marcone
2009-07-21 13:24     ` Fabio Marcone
2009-07-21 13:30     ` Pascal Hambourg
2009-07-21 13:36       ` Fabio Marcone
2009-07-21 13:53         ` Gáspár Lajos
2009-07-21 13:59         ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.