[Bridge] Bridging firewall issue - which interface are packets
shemminger at linux-foundation.org
Mon Oct 22 09:13:50 PDT 2007
On Sun, 21 Oct 2007 00:21:57 -0400
s24067 at rmc.ca wrote:
> Hello folks, I'm hoping someone can help me here. I'll try to describe the problem in detail.
> I'm attempting to set up a bridging firewall using libipq. I'm running on Ubuntu Server 7.04, out of the box kernel (2.6.20)
> My bridge is set up with the following commands:
> brctl addbr br0
> brctl stp br0 off
> brctl addif br0 eth1
> brctl addif br0 eth2
> ifconfig eth1 down
> ifconfig eth2 down
> ifconfig eth1 0.0.0.0 up
> ifconfig eth2 0.0.0.0 up
> ifconfig br0 0.0.0.0 up
> IP queue is set up with the following:
> iptables -A FORWARD -j QUEUE
> modprobe ip_queue
> The bridge works fine. Traffic is sent back and forth. My libipq app can see traffic and stop it. However, one thing I would like to be able to find out in user space is which interface a packet arrived on (ie/ which direction it's going). As far as IPQ is concerned, all packets are arriving and leaving on br0.
> After reading a bit more about netfilter, iptables and the FIREWALL document distributed with brctl, I figured my best bet would be do something like this:
> iptables -A INPUT -i eth1 -j MARK --set-mark 1
> iptables -A INPUT -i eth2 -j MARK --set-mark 2
> This way I could just check the mark value when the packet got sent to QUEUE (and up to user space) from the FORWARD chain. However, this doesn't work. From everything I can tell, packets traversing the bridge do not even go through the INPUT chain, as I can put in this rule:
> iptables -A INPUT -j DROP
> yet traffic still flows through fine (as long as my libipq app is running).
> Does anyone here have any ideas? I would really appreciate any suggestions.
> David Vessey
Ask on netfilter-devel mailing list and Patrick McHardy.
Stephen Hemminger <shemminger at linux-foundation.org>
More information about the Bridge