netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Greg Scott" <GregScott@Infrasupport.com>
To: <netdev@vger.kernel.org>
Cc: "Graham Parenteau" <adfgrahame1@gmail.com>
Subject: Very confused about broute DROP
Date: Thu, 15 Sep 2011 17:48:21 -0500	[thread overview]
Message-ID: <925A849792280C4E80C5461017A4B8A2A04438@mail733.InfraSupportEtc.com> (raw)
In-Reply-To: 925A849792280C4E80C5461017A4B8A2A0414B@mail733.InfraSupportEtc.com

I don't get this.  Why does:

ebtables -t broute -A BROUTING -j DROP

completely knock a Linux host offline?

This is what the man page for ebtables says:

The targets DROP and ACCEPT have a special meaning in the broute table
(these names are used instead of more descriptive  names  to  keep the
implementation  generic).   DROP  actually means the frame has to be
routed, while ACCEPT means the frame has to be bridged. The BROUTING
chain is traversed very early. However, it is  only  traversed  by
frames  entering  on  a bridge port that is in forwarding state.
Normally those frames would be bridged, but you can decide otherwise
here. The redirect target is very handy here.

So based on the above paragraph, I should be able to do something like
this:

# Here is what to bridge
ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP1 -j
ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-destination $PUBLIC_IP2 -j
ACCEPT

# Route everything else
ebtables -t broute -A BROUTING -j DROP

So I tried above and knocked that box completely offline.  I'm missing
something.

Here is what the paragraph about redirect in the ebtables man pages
says: 

The  redirect target will change the MAC target address to that of the
bridge device the frame arrived on. This target can only be used in the
BROUTING chain of the broute table and the PREROUTING chain of  the  nat
table.  In  the  BROUTING  chain,  the MAC address of the bridge port is
used as destination address, in the PREROUTING chain, the MAC address of
the bridge is used.

OK - so this target MAC address - is this the MAC Address of an ethnn
port that's part of the bridge, or the MAC Address of another node?  I
was thinking it was the MAC Address of another node, but maybe it's just
the MAC Address of a port on this bridge?  

And there are some examples here:
http://ebtables.sourceforge.net/examples/basic.html#ex_redirect

that I really don't get.  So instead of trial and error guessing, I
figured I would ask.  

If anyone can help me understand this, I'll take a stab at writing it up
as clearly as I know how for use in future versions of man pages.  

Thanks

- Greg Scott

  reply	other threads:[~2011-09-15 23:00 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-11 18:25 Bridging behavior apparently changed around the Fedora 14 time Greg Scott
2011-07-11 20:07 ` Stephen Hemminger
2011-07-11 20:41   ` Greg Scott
2011-07-11 20:49     ` Stephen Hemminger
2011-07-11 21:08       ` Greg Scott
2011-07-11 21:10         ` Stephen Hemminger
2011-07-11 21:16           ` Ben Greear
2011-07-12  3:06             ` Greg Scott
2011-07-11 21:16           ` Greg Scott
2011-07-11 21:24             ` Stephen Hemminger
2011-07-12  0:02         ` David Lamparter
2011-07-12  2:38           ` Greg Scott
2011-07-12  3:39             ` David Lamparter
2011-07-12 14:30               ` Greg Scott
2011-07-12 14:54                 ` David Lamparter
2011-07-12 16:28                   ` Greg Scott
2011-07-21  4:40                     ` Greg Scott
2011-07-21 15:01                       ` Greg Scott
     [not found]                       ` <925A849792280C4E80C5461017A4B8A2A0413A@mail733.InfraSupportE tc.com>
2011-07-22  4:39                         ` Greg Scott
2011-07-22  6:20                           ` Greg Scott
2011-09-15 22:48                             ` Greg Scott [this message]
2011-09-15 23:08                               ` Very confused about broute DROP Christian Benvenuti (benve)
2011-09-16  3:19                                 ` Greg Scott
2011-09-16  4:23                                   ` Christian Benvenuti (benve)
2011-09-16 14:55                                     ` Greg Scott
2011-09-18  1:47                                       ` Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=925A849792280C4E80C5461017A4B8A2A04438@mail733.InfraSupportEtc.com \
    --to=gregscott@infrasupport.com \
    --cc=adfgrahame1@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).