bridge problem, please help me

_______________________________________________
Bridge mailing list
Bridge <at> lists.osdl.org
http://lists.osdl.org/mailman/listinfo/bridge

Re: bridge problem, please help me

On Fri, 1 Apr 2005 14:36:27 +0200
"zok" <zok <at> suzo.sk> wrote:

> I'm a problem with bridge please help me
> 
> My configuration:
> 
> eth0,eth1,wlan0
> 
> bridge is br0 on devices eth0 and wlan0. Device eth1 is not in bridge.
> 
> br0 ip is 192.168.1.1
> eth1 ip is 192.168.2.1
> 
> ethernet (eth0,eth1) is in one switch.
> 
> all is ok if eth1 not in system, if eth1 plugged into system and up interface eth1 network crash :(

You don't want to assign IP address to eth1 unless you are doing other things
to turn the configuration into a brouter.

_______________________________________________
Bridge mailing list
Bridge <at> lists.osdl.org
http://lists.osdl.org/mailman/listinfo/bridge

Re: [PATCH bridge-2.6.11] bridge hub_enabled option

On Tue, Mar 29, 2005 at 01:27:33PM +0200, Alpt wrote  :
~> The document describing this patch is here:
~> http://www.freaknet.org/alpt/src/bridge-hub/readme
~> 
~> There is a small correction for this patch. The new version is attached
~> here and be be found also here:
~> http://www.freaknet.org/alpt/src/bridge-hub/bridge-2.6.11-hub.patch
~> 
~> The patch for the bridge-utils:
~> http://www.freaknet.org/alpt/src/bridge-hub/bridge-utils-1.0.6-hub.patch

so.. is it applied or not?

Best Regards
--

-- 
:wq!
"I don't know nothing" The One Who reached the Thinking Matter   '.'

[ Alpt --- Freaknet Medialab ]
[ GPG Key ID 441CF0EE ]
[ Key fingerprint = 8B02 26E8 831A 7BB9 81A9  5277 BFF8 037E 441C F0EE ]

ayuda con brige en kernel 2.6

hola he visto vuestro trabajo y la verdad es bastante interesante, la
verdad es que yo soy nuevo en linux, pero he aprendido mucho este
ultimo tiempo le escribo para ver si pueden ayudarme

estoy trabajando con fedora core 2 kernel 2.6 he instalado una
herramienta "bridge-utils-0.9.6-1.i386.rpm"  para que funcione el
comando brctl
hasta aqui no tengo problemas, lo que necesito saber es si en este
distro tengo que realizar alguna configuracion adicional. por vuestra
ayuda gracias espero su respuesta tambien me incribire en la lista
para ver si puedo aportar algo

Re: [PATCH bridge-2.6.11] bridge hub_enabled option

On Mon, 4 Apr 2005 18:22:01 +0200
Alpt <alpt <at> freaknet.org> wrote:

> On Tue, Mar 29, 2005 at 01:27:33PM +0200, Alpt wrote  :
> ~> The document describing this patch is here:
> ~> http://www.freaknet.org/alpt/src/bridge-hub/readme
> ~> 
> ~> There is a small correction for this patch. The new version is attached
> ~> here and be be found also here:
> ~> http://www.freaknet.org/alpt/src/bridge-hub/bridge-2.6.11-hub.patch
> ~> 
> ~> The patch for the bridge-utils:
> ~> http://www.freaknet.org/alpt/src/bridge-hub/bridge-utils-1.0.6-hub.patch
> 
> so.. is it applied or not?
> 
> Best Regards

I would rather it not be applied to mainline since it only has specialized usage.
I am willing to hold keep it in the patches area of the bridge site so others
can find it.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: ayuda con brige en kernel 2.6

Ha leido esta pagina?  http://bridge.sourceforge.net/faq.html

o esta?  http://bridge.sourceforge.net/howto.html

No nos dice cual problemas que tiene?  "bridging" fucione para mi en FC2.

-bryanw

jorge Matus wrote:

>hola he visto vuestro trabajo y la verdad es bastante interesante, la
>verdad es que yo soy nuevo en linux, pero he aprendido mucho este
>ultimo tiempo le escribo para ver si pueden ayudarme
>
>estoy trabajando con fedora core 2 kernel 2.6 he instalado una
>herramienta "bridge-utils-0.9.6-1.i386.rpm"  para que funcione el
>comando brctl
>hasta aqui no tengo problemas, lo que necesito saber es si en este
>distro tengo que realizar alguna configuracion adicional. por vuestra
>ayuda gracias espero su respuesta tambien me incribire en la lista
>para ver si puedo aportar algo
>_______________________________________________
>Bridge mailing list
>Bridge <at> lists.osdl.org
>http://lists.osdl.org/mailman/listinfo/bridge
>
>
>
>  
>

Some clients are unable to connect fully to the other side.

Hi list,

I have setup our router/firewall with bridging.
The bridge is there because we have an other router with a ipsec tunnel.
The traffic from that i don't trust, i have seen a lot of noise that 
needs to be dropped(ports like 135,137,138,445 etc)

It all works just fine except for some clients.

 From my client(winxpp sp1) i can browse web servers, receive and send 
mail on networks behind the bridge and ipsec tunnel.
So the bridge works (for me at least)
The problem on some clients is that for an example.
If i telnet to the mail server pop3, i'm able to log in
and list the inbox, but when i do "RETR 1" nothing more happens.

it feels like there is some issue with larger package from the other side.

tcpdump from a bad client unable to get mail shows:

19:47:50.946266 IP (tos 0x0, ttl 127, id 19315, offset 0, flags [DF], 
length: 48) client.1815 > server.110: S [tcp sum ok] 
3838110372:3838110372(0) win 65535 <mss 1460,nop,nop,sackOK>

19:47:50.989986 IP (tos 0x0, ttl 127, id 24652, offset 0, flags [DF], 
length: 48) server.110 > client.1815: S [tcp sum ok] 
376748423:376748423(0) ack 3838110373 win 65535 <mss 1400,nop,nop,sackOK>

19:47:50.990126 IP (tos 0x0, ttl 127, id 19316, offset 0, flags [DF], 
length: 40) client.1815 > server.110: . [tcp sum ok] 1:1(0) ack 1 win 65535

19:47:51.034310 IP (tos 0x0, ttl 127, id 24656, offset 0, flags [DF], 
length: 140) server.110 > client.1815: P 1:101(100) ack 1 win 65535

19:47:51.034561 IP (tos 0x0, ttl 127, id 19317, offset 0, flags [DF], 
length: 74) client.1815 > server.110: P 1:35(34) ack 101 win 65435

19:47:51.078620 IP (tos 0x0, ttl 127, id 24657, offset 0, flags [DF], 
length: 45) server.110 > client.1815: P [tcp sum ok] 101:106(5) ack 35 
win 65501

19:47:51.078840 IP (tos 0x0, ttl 127, id 19318, offset 0, flags [DF], 
length: 55) client.1815 > server.110: P 35:50(15) ack 106 win 65430

19:47:51.130881 IP (tos 0x0, ttl 127, id 24666, offset 0, flags [DF], 
length: 74) server.110 > client.1815: P 106:140(34) ack 50 win 65486

19:47:51.131129 IP (tos 0x0, ttl 127, id 19319, offset 0, flags [DF], 
length: 46) client.1815 > server.110: P [tcp sum ok] 50:56(6) ack 140 
win 65396

19:47:51.181633 IP (tos 0x0, ttl 127, id 24668, offset 0, flags [DF], 
length: 54) server.110 > client.1815: P [tcp sum ok] 140:154(14) ack 56 
win 65480

19:47:51.182402 IP (tos 0x0, ttl 127, id 19320, offset 0, flags [DF], 
length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382

19:47:52.613277 IP (tos 0x0, ttl 127, id 19337, offset 0, flags [DF], 
length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382

19:47:52.662321 IP (tos 0x0, ttl 127, id 24718, offset 0, flags [DF], 
length: 40) server.110 > client.1815: . [tcp sum ok] 1554:1554(0) ack 64 
win 65472

the two last package with hex dump

19:45:33.909104 IP (tos 0x0, ttl 127, id 18214, offset 0, flags [DF], 
length: 48) client.1808 > server.110: P [tcp sum ok] 56:64(8) ack 154 
win 65382
0x0000: 4500 0030 4726 4000 7f06 0fc4 0a10 888c  E..0G& <at> .........
0x0010: 0a10 0832 0710 006e e2af ddd2 1456 405f  ...2...n.....V <at> _
0x0020: 5018 ff66 1af7 0000 5245 5452 2031 0d0a  P..f....RETR.1..

19:45:33.968763 IP (tos 0x0, ttl 127, id 20411, offset 0, flags [DF], 
length: 40) server.110 > client.1808: . [tcp sum ok] 1554:1554(0) ack 64 
win 65472
0x0000: 4500 0028 4fbb 4000 7f06 0737 0a10 0832  E..(O. <at> ....7...2
0x0010: 0a10 888c 006e 0710 1456 45d7 e2af ddda  .....n...VE.....
0x0020: 5010 ffc0 e8ff 0000 0000 0000 0000       P.............

The ghost in me says that it can be some thing with MTU, can it be that?
I'm not an IP TCP expert, but a brief analyze of good and bad client , 
the first SYN on good client has "mss 1260" while bad client has "mss 1460".
Generally the bad client is Win98se and win2k,
but there is some winxpp with the same issue.

setup:
Linux dist Gentoo 2004.3
Kernel 2.6.11-gentoo-r4
kernel patched with
	linux-2.6.11-mppe-mppc-1.3
	patch-o-matic-ng-20050322 CLASSIFY
	patch-o-matic-ng-20050322 ownercmd
	patch-o-matic-ng-20050322 psd
	patch-o-matic-ng-20050322 time
	patch-o-matic-ng-20050322 IPMARK
	patch-o-matic-ng-20050322 TARPIT
	patch-o-matic-ng-20050322 XOR
	patch-o-matic-ng-20050322 ipp2p
iptables-1.3.1
bridge-utils-0.9.6-r1

Iterface desc:
eth0:  External network (internet)
eth1:  Local network (office)
eth2:  DMZ
eth3:  Local network (ipsec)
ppp+:  Dial-in VPN
tun01: gre tunnel
br0:   Bridge network eth1 and eth3

Directions how to counter this problem is warmly welcome,

take care,
::Beppe

Re: Some clients are unable to connect fully to the other side.[SOLVED]

hehe, i feel good.

/usr/local/sbin/iptables -A PREROUTING -t mangle -i br0 -p tcp --syn -j 
TCPMSS --set-mss 1260

did it.

take care,
::Beppe

Beppe wrote:
> Hi list,
> 
> I have setup our router/firewall with bridging.
> The bridge is there because we have an other router with a ipsec tunnel.
> The traffic from that i don't trust, i have seen a lot of noise that 
> needs to be dropped(ports like 135,137,138,445 etc)
> 
> It all works just fine except for some clients.
> 
>  From my client(winxpp sp1) i can browse web servers, receive and send 
> mail on networks behind the bridge and ipsec tunnel.
> So the bridge works (for me at least)
> The problem on some clients is that for an example.
> If i telnet to the mail server pop3, i'm able to log in
> and list the inbox, but when i do "RETR 1" nothing more happens.
> 
> it feels like there is some issue with larger package from the other side.
> 
> tcpdump from a bad client unable to get mail shows:
> 
> 19:47:50.946266 IP (tos 0x0, ttl 127, id 19315, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: S [tcp sum ok] 
> 3838110372:3838110372(0) win 65535 <mss 1460,nop,nop,sackOK>
> 
> 19:47:50.989986 IP (tos 0x0, ttl 127, id 24652, offset 0, flags [DF], 
> length: 48) server.110 > client.1815: S [tcp sum ok] 
> 376748423:376748423(0) ack 3838110373 win 65535 <mss 1400,nop,nop,sackOK>
> 
> 19:47:50.990126 IP (tos 0x0, ttl 127, id 19316, offset 0, flags [DF], 
> length: 40) client.1815 > server.110: . [tcp sum ok] 1:1(0) ack 1 win 65535
> 
> 19:47:51.034310 IP (tos 0x0, ttl 127, id 24656, offset 0, flags [DF], 
> length: 140) server.110 > client.1815: P 1:101(100) ack 1 win 65535
> 
> 19:47:51.034561 IP (tos 0x0, ttl 127, id 19317, offset 0, flags [DF], 
> length: 74) client.1815 > server.110: P 1:35(34) ack 101 win 65435
> 
> 19:47:51.078620 IP (tos 0x0, ttl 127, id 24657, offset 0, flags [DF], 
> length: 45) server.110 > client.1815: P [tcp sum ok] 101:106(5) ack 35 
> win 65501
> 
> 19:47:51.078840 IP (tos 0x0, ttl 127, id 19318, offset 0, flags [DF], 
> length: 55) client.1815 > server.110: P 35:50(15) ack 106 win 65430
> 
> 19:47:51.130881 IP (tos 0x0, ttl 127, id 24666, offset 0, flags [DF], 
> length: 74) server.110 > client.1815: P 106:140(34) ack 50 win 65486
> 
> 19:47:51.131129 IP (tos 0x0, ttl 127, id 19319, offset 0, flags [DF], 
> length: 46) client.1815 > server.110: P [tcp sum ok] 50:56(6) ack 140 
> win 65396
> 
> 19:47:51.181633 IP (tos 0x0, ttl 127, id 24668, offset 0, flags [DF], 
> length: 54) server.110 > client.1815: P [tcp sum ok] 140:154(14) ack 56 
> win 65480
> 
> 19:47:51.182402 IP (tos 0x0, ttl 127, id 19320, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 
> 19:47:52.613277 IP (tos 0x0, ttl 127, id 19337, offset 0, flags [DF], 
> length: 48) client.1815 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 
> 19:47:52.662321 IP (tos 0x0, ttl 127, id 24718, offset 0, flags [DF], 
> length: 40) server.110 > client.1815: . [tcp sum ok] 1554:1554(0) ack 64 
> win 65472
> 
> the two last package with hex dump
> 
> 19:45:33.909104 IP (tos 0x0, ttl 127, id 18214, offset 0, flags [DF], 
> length: 48) client.1808 > server.110: P [tcp sum ok] 56:64(8) ack 154 
> win 65382
> 0x0000: 4500 0030 4726 4000 7f06 0fc4 0a10 888c  E..0G& <at> .........
> 0x0010: 0a10 0832 0710 006e e2af ddd2 1456 405f  ...2...n.....V <at> _
> 0x0020: 5018 ff66 1af7 0000 5245 5452 2031 0d0a  P..f....RETR.1..
> 
> 19:45:33.968763 IP (tos 0x0, ttl 127, id 20411, offset 0, flags [DF], 
> length: 40) server.110 > client.1808: . [tcp sum ok] 1554:1554(0) ack 64 
> win 65472
> 0x0000: 4500 0028 4fbb 4000 7f06 0737 0a10 0832  E..(O. <at> ....7...2
> 0x0010: 0a10 888c 006e 0710 1456 45d7 e2af ddda  .....n...VE.....
> 0x0020: 5010 ffc0 e8ff 0000 0000 0000 0000       P.............
> 
> 
> The ghost in me says that it can be some thing with MTU, can it be that?
> I'm not an IP TCP expert, but a brief analyze of good and bad client , 
> the first SYN on good client has "mss 1260" while bad client has "mss 
> 1460".
> Generally the bad client is Win98se and win2k,
> but there is some winxpp with the same issue.
> 
> 
> setup:
> Linux dist Gentoo 2004.3
> Kernel 2.6.11-gentoo-r4
> kernel patched with
>     linux-2.6.11-mppe-mppc-1.3
>     patch-o-matic-ng-20050322 CLASSIFY
>     patch-o-matic-ng-20050322 ownercmd
>     patch-o-matic-ng-20050322 psd
>     patch-o-matic-ng-20050322 time
>     patch-o-matic-ng-20050322 IPMARK
>     patch-o-matic-ng-20050322 TARPIT
>     patch-o-matic-ng-20050322 XOR
>     patch-o-matic-ng-20050322 ipp2p
> iptables-1.3.1
> bridge-utils-0.9.6-r1
> 
> 
> Iterface desc:
> eth0:  External network (internet)
> eth1:  Local network (office)
> eth2:  DMZ
> eth3:  Local network (ipsec)
> ppp+:  Dial-in VPN
> tun01: gre tunnel
> br0:   Bridge network eth1 and eth3
> 
> 
> Directions how to counter this problem is warmly welcome,
> 
> take care,
> ::Beppe
> _______________________________________________
> Bridge mailing list
> Bridge <at> lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/bridge
> 

PF_PACKET socket

>From the archives it looks like there may be some knowledge in this area... 
2.4.20 kernel

I have 2 network interfaces eth0 & eth1 connected via bridge br0. eth0
and eth1 do not have IPs, br0 may or may not have an IP. Not planning
on using ebtables package to solve this problem.....

Here is the first question...

If a user space process wants to intercept packets entering eth0 for a
specific protocol, ETH_P_802_2 for example, (basically any case where
a packet hander is installed into the ptype_base[] table in dev.c,
AFTER the bridge code entry point). How do I bind the user space
socket to guarantee that it will receive the ETH_P_802_2 frames
received/posted by eth0.

It looks to me like: if the socket is created and then bound to eth0
it will never see any frames of type ETH_P_802_2 when a bridge is
place. Is this correct?

What should happen when the PF_PACKET socket is bound to br0? Should I
expect to see 802.2 packets from the bridge? Will all the packets pass
by undetected? Will the bridge only pass the packets up if an IP
address is assigned to br0?

Another question, again w/o ebtables....
Is there a way with PF_PACKET to intercept a certain protocol type
before it enters the bridge, pass it to the PF_PACKET handler
completely consuming the frame. Thus, causing the frame to be consumed
by the localhost and not bridged?

Thanks!!
Rob

Re: Linux Bridging

On Wed, 13 Apr 2005 10:50:15 +0100
"Andre Santos \(Ecofilmes\)" <andre.santos <at> ecofilmes.pt> wrote:

> Hi there,
>  
> I want to have a computer betwen the internet and the network to see the trafic and control. 
> I used windows, but its somehow limited, and want to try linux... 
> I installed Fedora linux in server mode, and now Im trying to put 2 nics in bridge. 
>  
> First, I tried to do like this (the first part):
> http://www.sjdjweis.com/linux/bridging/ <BLOCKED::http://www.sjdjweis.com/linux/bridging/> 
>  
> It didnt worked..
> I did  brctl show and not bridge configured...
>  
> Then I enabled all the services I turned off from this article again.
>  
> In the file    /etc/sysctl.conf:   
> I Xchanged the 0 to 1 ..  net.ipv4.ip_forward = 1 
>  
>  
> In the console I wrote:
>  ifconfig eth0 0.0.0.0 up 
>  ifconfig eth1 0.0.0.0 up 
>  brctl addbr br0 
>  brctl addif br0 eth0 
>  brctl addif br0 eth1 
>  ifconfig br0 X.X.X.X netmask 255.255.255.0 
>  
> For testing I put  Workstation -> Hub -> Bridge -> network 
> I want to see if bridge works, if the workstation has to be able to ping the network its working.
> 
> I can ping server from the linux , but from the computer behim bridge to network it cant ping, and the
conection is limited, cant get ip.

Fid you wait for the STP status to change to forwarding? 
It has to go through a learning period first.

What is the output of 'brctl showstp br0'

>  
> Tried to instal, bridge-utils-1.0.4.tar , ran configure  and config.status in console and install-sh in
the folder but, I dont know if it had any effect.. as Im a newie at linux.
> The location  /bridge-utils-1.0.4/    dont know if I had to put in some other folder...

Latest is 1.0.5

If you do:
	./configure
	make
You will build the utilities.
Then you need to run
	make install
as root.  By default it puts the new brctl in /usr/local/sbin/brctl

You can figure out what version is running by doing 'brctl -V'
Also, unless you have problems, I recommend starting with the bridge-utilities
included with your linux distribution. The utilities have been stable long enough
that little changes.

>  
>  
> Could you help me on this?
>  
> Much apreciated!!
>  
> Thanks for your time.
>  
> Best regards,
> André Santos