RE: Very confused about broute DROP

["Greg Scott" <GregScott@Infrasupport.com>]

Definitely counter-intuitive in my head.  Three little ebtables rules -
ACCEPT anything IPv4 - which includes ARPs - for a couple of IP
Addresses and then DROP everything else for all protocols.  (Which
really means bridge for those IPv4 Addresses and route for everything
else.)

I don't see how a rule specific to ARPs matters here.  ARP is an IPv4
protocol and should be implied in the rules I set up - right?  Why a
rule specific to ARPs when it's already part of IPv4?

This just hit me - layer 2 is stateless.  I have ACCEPT rules for frames
bound for **destination** IPv4 IP Addresses.  I wonder if I need similar
rules for these same IP Addresses as sources?  But that still doesn't
make sense - that rule to DROP everything else covers all sources and
all destinations.  When I put in that ebtables DROP rule, the box turns
into a black hole instead of a router.  

Maybe one day the lightbulb will light up in my head, but right now I
still don't get it.

- Greg



-----Original Message-----
From: Christian Benvenuti (benve) [mailto:benve@cisco.com] 
Sent: Thursday, September 15, 2011 11:23 PM
To: Greg Scott; netdev@vger.kernel.org
Cc: Graham Parenteau
Subject: RE: Very confused about broute DROP

What I meant is that your host needs to be able to route
(which means ... to process) its own ARP traffic, ... IPv4
does not work without ARP, right?
This means you need to add one more DROP rule for the ARP
traffic that is addressed to the MAC of the host interfaces
(nothing to do with proxy ARP).

/Chris