Bart De Schuymer | 1 Mar 10:16 2003
Picon

Re: bug? kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled

> OK, but i tried it with IP address on the bridge interface and i get the
> same error message in kernel as i wrote above.

I have tried the following scheme on my little test network, for both 2.5 and 
2.4.20 + patches:

eth0 = connection to Internet
br0 = eth1+eth2
br0 has no IP address
iptables -t nat -A PREROUTING -s 172.16.1.2 -d 172.16.1.4 -j DNAT --to-dest 
216.239.51.101
route -A -net 172.16.1.0 netmask 255.255.255.0 dev br0

172.16.1.2 is on the eth1 side, .4 on the eth2 side, the dest (216.239.51.101) 
is google.
I then ping 172.16.1.4 from 172.16.1.2 and everything works as expected: 
google responds to my bridge box, which SNATs it to 172.16.1.4 and sends it 
to 172.16.1.2.

Is there anything essentially different beween this setup and with yours? 
Because, with me, this works.

--

-- 
cheers,
Bart
Bart De Schuymer | 1 Mar 10:21 2003
Picon

Re: clarification/ newbie

On Friday 28 February 2003 08:06, S Mohan wrote:
> I'm using a bridge and want to use firewalling on that. As it stands,
> without etables, it looks like iptables filtering can only be done on the
> FORWARD chain. I, however, need to use direction on interfaces and states
> to do a proper filtering job. I read thro' what ebtables had to offer.

iptables PREROUTING and POSTROUTING work too for bridged frames.

> I am looking for a confirmation that ebtables syntax is identical to
> iptables syntax. If so, I can rewrite my script generator to use iptables
> if it is a router and ebtables if it is a bridge. **Clarification** all
> iptables syntax will work in ebtables (vice versa not mandatory).

There are differences, read the manual.

--

-- 
cheers,
Bart
Bart De Schuymer | 2 Mar 21:59 2003
Picon

Re: bug? kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled

> I have tried the following scheme on my little test network, for both 2.5
> and 2.4.20 + patches:
>
> eth0 = connection to Internet
> br0 = eth1+eth2
> br0 has no IP address
> iptables -t nat -A PREROUTING -s 172.16.1.2 -d 172.16.1.4 -j DNAT --to-dest
> 216.239.51.101
> route -A -net 172.16.1.0 netmask 255.255.255.0 dev br0

Just for the record: kolisko's "bug" was "removed" when the necessary routing 
table entry was added.

--

-- 
cheers,
Bart
- = k o l i s k o = - | 3 Mar 09:19 2003
Picon

Re: bug? kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled

On So, 2003-03-01 at 10:16, Bart De Schuymer wrote:
> > OK, but i tried it with IP address on the bridge interface and i get the
> > same error message in kernel as i wrote above.
> 
> I have tried the following scheme on my little test network, for both 2.5 and 
> 2.4.20 + patches:
> 
> eth0 = connection to Internet
> br0 = eth1+eth2
> br0 has no IP address
> iptables -t nat -A PREROUTING -s 172.16.1.2 -d 172.16.1.4 -j DNAT --to-dest 
> 216.239.51.101
> route -A -net 172.16.1.0 netmask 255.255.255.0 dev br0

Thank you. I didn't have this route in my route table. When I add this
route, the message in kernel disappear. Tx.

> 
> 172.16.1.2 is on the eth1 side, .4 on the eth2 side, the dest (216.239.51.101) 
> is google.
> I then ping 172.16.1.4 from 172.16.1.2 and everything works as expected: 
> google responds to my bridge box, which SNATs it to 172.16.1.4 and sends it 
> to 172.16.1.2.
> 
> Is there anything essentially different beween this setup and with yours? 
> Because, with me, this works.
> 

My topology is a little bit diffrent. 

(Continue reading)

- = k o l i s k o = - | 3 Mar 10:10 2003
Picon

Re: bug? kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled

On Ne, 2003-03-02 at 22:16, Bart De Schuymer wrote:
> > route add -net 0.0.0.0 netmask 0.0.0.0 dev br1
> > route add -net 0.0.0.0 netmask 0.0.0.0 dev br3
> 
> You can send stuff destined to hosts on br1 to the br1 device, using the 
> appropriate routing table entry. I don't see what your problem is...
> Anyway, my vlan knowledge is limited.

It is not about VLANs, forget VLANs.

For example you have a firewall with 5 physical interfaces.

eth0 and eth1 is in br0
eth2 and eth3 is in br1
eth4 is connected to proxy and it have a IP address

the firewall is not designed as your testing topology. 
In this example topology is the firewall connecting TWO computers with
public addresses to the internet. 

Like on this picture:

         bridge firewall      router
         +-------------+    +--------+
comp1 -- |eth0-br0-eth1| -- |        | -- internet
comp2 -- |eth2-br1-eth3| -- |        |
         |    eth4     |    +--------+
         +------+------+
                |
            +---+----+
(Continue reading)

Julian Anastasov | 3 Mar 11:23 2003
Picon

Re: bug? kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled


	Hello,

On 3 Mar 2003, - = k o l i s k o = - wrote:

> the traffic is originated from the internet. And IT is the big problem
> for me. Becouse it mean that i need TWO DEFAULT ROUTES (TWO DEFAULT
> GATEWAYS) on one machine:
>
> route add -net 0.0.0.0 netmask 0.0.0.0 dev br0
> route add -net 0.0.0.0 netmask 0.0.0.0 dev br1
>
> And i guess it is not possible. Becouse linux dont know virtual routing.

	It can be done but with the normal kernel it is a bit limitted:

http://www.ssi.bg/~ja/#routes

	Read nano.txt and dgd-usage.txt about alternative routes

> kolisko

Regards

--
Julian Anastasov <ja <at> ssi.bg>
Dan Eble | 5 Mar 23:11 2003

locking in br_handle_frame

/* br_input.c, br_handle_frame() */
123	p = skb->dev->br_port;
124	if (p == NULL)
125		goto err_nolock;
126
127	br = p->br;
128	read_lock(&br->lock);
129	if (skb->dev->br_port == NULL)
130		goto err;

What protection do lines 129-130 offer over and above lines 124-125?

If the second check is unnecessary, it should be removed; however, 
if it is necessary, "p" should be reassigned as well, correct?

	read_lock(&br->lock);
- 	if (skb->dev->br_port == NULL)
+	p = skb->dev->br_port;
+	if (p == NULL)
		goto err;

But if "p" can change between lines 123 and 129, that means "br = p->br;"  
may change too, and thus the wrong "br->lock" may be locked.

I'm so confused!  |(:^p

--

-- 
Dan Eble <dane <at> aiinet.com>  _____  .
                           |  _  |/|
Applied Innovation Inc.    | |_| | |
(Continue reading)

David Hsu | 10 Mar 12:36 2003
Picon

Use one MAC address between interfaces

Dear all,
Could I bridge the two or more interfaces, using the same MAC  address?
I have try it, but it seemed not work. Is it reasonable?

TIA.

David
Rinse Kloek | 10 Mar 19:01 2003
Picon

Bridge limitations

We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
Gigabit interfaces. On the machine we have a lot of iptables rules like :
            all  --  213.134.x.0        0.0.0.0/0
            all  --  0.0.0.0/0            213.134.x.0
TOS    all  --  213.134.x.4        0.0.0.0/0          TOS set 0x08
            all  --  0.0.0.0/0            213.134.x.4
Currently in the peak hours we have about 40 Megabit traffic. Also in
this peak hours we have a CPU load of about 70%. What is the main reason of
this CPU load, is it the high traffic or the iptables rules on the machine.
And if the iptables rules are the reaseon of the high CPU load, does TOS
mangling use much CPU?
 
regards Rinse

Marek Kierdelewicz | 10 Mar 20:59 2003
Picon

Re: Bridge limitations

Hello,

On Mon, 10 Mar 2003 19:01:51 +0100
"Rinse Kloek" <rinse <at> solcon.nl> wrote:

> We use a RedHat 7.3 machine as bridge on a P3 1.8 Ghz with 2 64 bits
> Gigabit interfaces. On the machine we have a lot of iptables rules like :
>             all  --  213.134.x.0        0.0.0.0/0
>             all  --  0.0.0.0/0            213.134.x.0
> TOS    all  --  213.134.x.4        0.0.0.0/0          TOS set 0x08
>             all  --  0.0.0.0/0            213.134.x.4
> Currently in the peak hours we have about 40 Megabit traffic. Also in
> this peak hours we have a CPU load of about 70%. What is the main reason of
> this CPU load, is it the high traffic or the iptables rules on the machine.
> And if the iptables rules are the reaseon of the high CPU load, does TOS
> mangling use much CPU?

There's definitly something wrong. Check your kernel configuration - Networking Options -> Network
packet filtering debugging should be DISABLED. Otherwise your box will experience extreme logging and
hi CPU usage.

> 
> regards Rinse
> 
> 

regards,
Marek Kierdelewicz

Gmane