Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

netfilter + iproute2 + bridge = incompatible?

2 views
Skip to first unread message

Tor I. Skaar

unread,
Aug 3, 2004, 5:34:32 AM8/3/04
to
After extensive testing, I believe that the combination
netfilter-iproute2-bridge does not work. The following has been set up
on a machine:

- A transparent bridge between eth0 and eth1 (Bridge code patched, so
it act as a hub)

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp br0 off

- Marking certain sessions with netfilter

iptables -t mangle -A PREROUTING -m conntrack --ctorigsrc <address> -j
MARK --set-mark 1
iptables -t mangle -A PREROUTING -m mark --mark 1 -j LOG --log-prefix
"Mark: " #used only for testing

- ip2routing based on netfilter marks

ip rule add fwmark 1 table 2
ip route add 0/0 dev eth2 table 2

A simple drawing of the setup. Notice that the box is located off the
main wire.

External net |
------------ eth2
| +--+--+
TAP----eth0+ +eth1--
| +-----+
------------
Internal net

All interfaces are configured as follows:

ip addr add 0.0.0.0 dev {eth0, eth1, eth2, br0}
ip link set {eth0, eth1, eth2, br0} arp off up

The marking of packets works correctly (log as expected), but iproute2
does not perform routing.

Any suggestions to why this does not work?

-
BTW, using the netfilter route patch/module is not an option as this
removes state entries from /proc/net/ip_conntrack.

I recently found a similar case on this group:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=d10945bc.0407202219
.8daacc3%40posting.google.com&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF
-8%26selm%3Dd10945bc.0407202219.8daacc3%2540posting.google.com

Morten Isaksen

unread,
Aug 3, 2004, 3:01:10 PM8/3/04
to
On 3 Aug 2004 02:34:32 -0700, Tor I. Skaar wrote:


> ip rule add fwmark 1 table 2
> ip route add 0/0 dev eth2 table 2

> The marking of packets works correctly (log as expected), but iproute2
> does not perform routing.

> Any suggestions to why this does not work?

I dont know if it makes a difference but I use this syntax:

ip rule add fwmark 1 table 100 pref 1000
ip route add table 200 scope global nexthop dev eth2

--
Morten Isaksen
http://www.aub.dk/~misak/

Tor I. Skaar

unread,
Aug 4, 2004, 5:10:58 AM8/4/04
to
Morten Isaksen <mi...@aub.dk> wrote in message news:<15904q5m0c2kn$.z742sb1s38s9$.d...@40tude.net>...

It shouldn't make any difference, as the order of the selector (e.g.
fwmark) and action (e.g. table) doesn't matter. And the extra
parameters you use is optional.

The thing is that I have gotten exactly this configuration to work in
a static network setup, but without the bridge (bridge + hub patch).

It's really puzzling, as my iproute2 rules are very simple.

0 new messages