netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Christian Benvenuti (benve)" <benve@cisco.com>
To: "Greg Scott" <GregScott@Infrasupport.com>, <netdev@vger.kernel.org>
Cc: "Graham Parenteau" <adfgrahame1@gmail.com>
Subject: RE: Very confused about broute DROP
Date: Thu, 15 Sep 2011 18:08:09 -0500	[thread overview]
Message-ID: <184D23435BECB444AB6B9D4630C8EC83028548FD@XMB-RCD-303.cisco.com> (raw)
In-Reply-To: <925A849792280C4E80C5461017A4B8A2A04438@mail733.InfraSupportEtc.com>

How about ARP? You need it too ...

> -----Original Message-----
> From: netdev-owner@vger.kernel.org [mailto:netdev-
> owner@vger.kernel.org] On Behalf Of Greg Scott
> Sent: Thursday, September 15, 2011 3:48 PM
> To: netdev@vger.kernel.org
> Cc: Graham Parenteau
> Subject: Very confused about broute DROP
> 
> I don't get this.  Why does:
> 
> ebtables -t broute -A BROUTING -j DROP
> 
> completely knock a Linux host offline?
> 
> This is what the man page for ebtables says:
> 
> The targets DROP and ACCEPT have a special meaning in the broute table
> (these names are used instead of more descriptive  names  to  keep the
> implementation  generic).   DROP  actually means the frame has to be
> routed, while ACCEPT means the frame has to be bridged. The BROUTING
> chain is traversed very early. However, it is  only  traversed  by
> frames  entering  on  a bridge port that is in forwarding state.
> Normally those frames would be bridged, but you can decide otherwise
> here. The redirect target is very handy here.
> 
> So based on the above paragraph, I should be able to do something like
> this:
> 
> # Here is what to bridge
> ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP1 -j
> ACCEPT
> ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP2 -j
> ACCEPT
> 
> # Route everything else
> ebtables -t broute -A BROUTING -j DROP
> 
> So I tried above and knocked that box completely offline.  I'm missing
> something.
> 
> Here is what the paragraph about redirect in the ebtables man pages
> says:
> 
> The  redirect target will change the MAC target address to that of the
> bridge device the frame arrived on. This target can only be used in
the
> BROUTING chain of the broute table and the PREROUTING chain of  the
> nat
> table.  In  the  BROUTING  chain,  the MAC address of the bridge port
> is
> used as destination address, in the PREROUTING chain, the MAC address
> of
> the bridge is used.
> 
> OK - so this target MAC address - is this the MAC Address of an ethnn
> port that's part of the bridge, or the MAC Address of another node?  I
> was thinking it was the MAC Address of another node, but maybe it's
> just
> the MAC Address of a port on this bridge?
> 
> And there are some examples here:
> http://ebtables.sourceforge.net/examples/basic.html#ex_redirect
> 
> that I really don't get.  So instead of trial and error guessing, I
> figured I would ask.
> 
> If anyone can help me understand this, I'll take a stab at writing it
> up
> as clearly as I know how for use in future versions of man pages.
> 
> Thanks
> 
> - Greg Scott
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2011-09-15 23:08 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-11 18:25 Bridging behavior apparently changed around the Fedora 14 time Greg Scott
2011-07-11 20:07 ` Stephen Hemminger
2011-07-11 20:41   ` Greg Scott
2011-07-11 20:49     ` Stephen Hemminger
2011-07-11 21:08       ` Greg Scott
2011-07-11 21:10         ` Stephen Hemminger
2011-07-11 21:16           ` Ben Greear
2011-07-12  3:06             ` Greg Scott
2011-07-11 21:16           ` Greg Scott
2011-07-11 21:24             ` Stephen Hemminger
2011-07-12  0:02         ` David Lamparter
2011-07-12  2:38           ` Greg Scott
2011-07-12  3:39             ` David Lamparter
2011-07-12 14:30               ` Greg Scott
2011-07-12 14:54                 ` David Lamparter
2011-07-12 16:28                   ` Greg Scott
2011-07-21  4:40                     ` Greg Scott
2011-07-21 15:01                       ` Greg Scott
     [not found]                       ` <925A849792280C4E80C5461017A4B8A2A0413A@mail733.InfraSupportE tc.com>
2011-07-22  4:39                         ` Greg Scott
2011-07-22  6:20                           ` Greg Scott
2011-09-15 22:48                             ` Very confused about broute DROP Greg Scott
2011-09-15 23:08                               ` Christian Benvenuti (benve) [this message]
2011-09-16  3:19                                 ` Greg Scott
2011-09-16  4:23                                   ` Christian Benvenuti (benve)
2011-09-16 14:55                                     ` Greg Scott
2011-09-18  1:47                                       ` Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=184D23435BECB444AB6B9D4630C8EC83028548FD@XMB-RCD-303.cisco.com \
    --to=benve@cisco.com \
    --cc=GregScott@Infrasupport.com \
    --cc=adfgrahame1@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).