[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bridge
Subject:    Re: [Bridge] Bridge and iptables
From:       cgfreita <cgfreita () enetec ! com ! br>
Date:       2002-05-26 0:42:57
[Download RAW message or body]

Bart,

> > 	ebtables -F
> > 	ebtables -A FORWARD -p IPV4 --ip-dst xxx.xxx.xxx.xxx -j DROP,
> > 	nothing happens. Packets to that address are forwarded.
> >
> > 	And it doesn't make any difference if I use the same rule to
> > 	INPUT and OUTPUT too.
> 
> try ebtables -A FORWARD -p LENGTH -j DROP
> 
> If I'm guessing right this should also stop the traffic (except ARP
> I guess). So my guess is you are using IP over 802.3 Ethernet, not
> over Ethernet II. If you know the Ethernet header: the Type Field is
> actually used as a Length Field.
> Currently the bridge-nf nor ebtables patches support IP filtering
> over 802.3 Ethernet. This is on the todo-list of ebtables ;)

	As the time I received this email I had already deleted the ebtables
patch to do other tests from a "clean" kernel tree. I will compile it
again to try your suggestion. I confess that I don't know how to check
what kind of ethernet frame I am using. I have read about this using
IPX and there are some utils to configure interfaces that shows the
type of frame. I will improve my knowledge about this to try to find
the information you asked.

> Solutions:
> - switch network to Ethernet II, or
> - get someone to code support for 802.3.
> I'm willing to (figure out how to) code this (for bridge-nf and
> ebtables), but I can't test this on my network. So I would need your
> help _and_ patience.

	I really hope that you get successfull coding this. I think that a
bridge+firewall is a great and powerful device.
	I don't know how can I help you because my resources (computers,
network and knowledge) are very limited but, I will do my best.
	Thank you for your attention.

Cheers,

Freitas


[prev in list] [next in list] [prev in thread] [next in thread]