diff options
author | Bart De Schuymer <bdschuym@pandora.be> | 2003-02-15 13:47:40 +0000 |
---|---|---|
committer | Bart De Schuymer <bdschuym@pandora.be> | 2003-02-15 13:47:40 +0000 |
commit | 9ea96e2d24e2576a995f766c1fd0de1dd3f1f50e (patch) | |
tree | 7cbf03eaa4985a0b651e64fd6e68d09ade22be55 | |
parent | 740d3e89cc3631c36a9a15e1a8b64629fa3681f6 (diff) |
added some entries
-rw-r--r-- | docs/ebtables-faq.html | 203 |
1 files changed, 139 insertions, 64 deletions
diff --git a/docs/ebtables-faq.html b/docs/ebtables-faq.html index e40ed48..8fafbc2 100644 --- a/docs/ebtables-faq.html +++ b/docs/ebtables-faq.html @@ -11,7 +11,7 @@ <META name="keywords" content= "Linux, netfilter, firewall, bridge, brouter, ebtables, iptables"> <META name="keywords" content= - "FAQ, kernel, br-nf, br-nf-bds, ethernet, nat, chains, rules, tables"> + "FAQ, kernel, ebtables, br-nf, br-nf-bds, ethernet, nat, chains, rules, tables"> </HEAD> <BODY> <DIV class="banner" align="center"> @@ -30,15 +30,18 @@ <LI> <B><A name="quiz0">Intro</A></B> <DL> - <DT>What is the ebtables?</DT> - <DD>The ebtables project is the Linux 2.4.x Link Layer - firewalling subsystem. It delivers for Linux the functionality of + <DT>What is ebtables?</DT> + <DD>The ebtables project is the Linux 2.5.x (and above) Link Layer + firewalling subsystem, a patch for 2.4.x is maintained too. + It delivers for Linux the functionality of Ethernet frame filtering, all kinds of frame NAT (Network Address - Translation) and frame matching. Currently ebtables is not a part - of 2.4.x kernels, but now in the >=2.5.40 kernels.</DD> + Translation) and frame matching. The ebtables infrastructure is + a part of the standard Linux 2.5.x (and above) kernels.</DD> <DT>Why do I use it?</DT> - <DD>Probably, to filter frames by MAC-address or frame type at - Link Layer inside Your Linux-based Ethernet bridge.</DD> + <DD>To filter frames by MAC-address or frame type at + Link Layer inside your Linux-based Ethernet bridge, to do + some basic filtering of certain protocol headers, to + make a Linux brouter.</DD> </DL> <A class=navbar href="#top">[Back to the top]</A> <HR> @@ -46,51 +49,61 @@ <LI> <B><A name="quiz1">Installation</A></B> <DL> - <DT>What should I do to know before ebtables installation?</DT> - <DD>First step is to check what the kernel version will be used - with ebtables. If the kernel version above than 2.5.39 was - installed, then kernel sources need no to be patched by the - <B>ebtables_kernel</B> and <B>br-nf-bds</B> patches. Go to <A - href="http://sourceforge.net/projects/ebtables/">Ethernet bridge - tables</A> and download <B>br_nf_bds</B>, <B>ebtables_kernel</B> - and <B>ebtables</B> packages.</DD> - <DT>What is the "ebtables_kernel" package and why should I use - it?</DT> + <DT>What should I know before ebtables installation?</DT> + <DD>First step is to decide what kernel version to use. If you + want to use a 2.5.x (or above) kernel, then just use the latest + and greatest kernel version. You won't have to patch the kernel. + Check out the submitted kernel patches, available through the + <A href="http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html"> + sourcecode</A> section of the ebtables <A href="http://users.pandora.be/bart.de.schuymer/ebtables"> + homepage</A> to see if there have been patches applied in later + kernel versions than the one you are using.</DD> + <DD>If you want to use a 2.4.x kernel, then go to + <A href="http://sourceforge.net/projects/ebtables/">Ethernet bridge + tables</A> and download the <B>br_nf_bds</B>, <B>ebtables_kernel</B> + and <B>ebtables</B> packages. Use the latest packages and use the + kernel version for which the kernel patches were made. The + <B>ebtables_kernel</B> patch has to be applied before the <B>br_nf_bds</B> + kernel patch.</DD> + <DT>What is the "ebtables_kernel" package and how do I install it?</DT> <DD> The <B>ebtables_kernel</B> package contains a patch against a - Linux kernel. It allows filtering on the Link Layer (OSI Layer - 2). Well know that iptables works on the Network Layer (OSI - Layer 3) and on the upper layers. For a bridging firewall it is - important to be able to filter on Link Layer as well. Copy - patch file to the kernel source (usually it named - /usr/src/linux or /usr/src/linux-2.X.YY) and execute + Linux 2.4.x kernel. It allows filtering on the Link Layer (OSI Layer + 2). It is well-known that iptables works on the Network Layer (OSI + Layer 3) and on higher layers. For a bridging firewall it is + important to be able to filter on the Link Layer as well.</DD> + <DD>Copy the patch file to the kernel source (usually it is named + /usr/src/linux or /usr/src/linux-2.X.YZ) and execute the following + (use the correct file names and directories where necessary) <PRE> +# cd /usr/src/linux # cp ebtables-v2.0.003_vs_2.4.20.diff.gz /usr/src/linux # gunzip ebtables-v2.0.003_vs_2.4.20.diff.gz # patch -p1 < ebtables-v2.0.003_vs_2.4.20.diff </PRE> </DD> - <DT>What is the "br-nf-bds" package and why should I use it?</DT> + <DT>What is the "br-nf-bds" package and how do I install it?</DT> <DD> - The <B>br-nf-bds</B> package contains a patch against Linux + The <B>br-nf-bds</B> package contains a patch against a Linux kernel that is already patched with the <B>ebtables_kernel</B> - patch. It add ability of iptables usage on a bridge to make a - bridging firewall. The big part of this patch was complete by + patch. It adds the ability of iptables usage on bridge packets to make a + bridging firewall. Most work on this patch was done by Lennert Buytenhek. The bridge-nf code is automatically compiled into the patched kernel if the bridge and netfilter support is enabled. <PRE> +# cd /usr/src/linux # cp bridge-nf-0.0.10-against-2.4.20.diff.gz /usr/src/linux # gunzip bridge-nf-0.0.10-against-2.4.20.diff.gz # patch -p1 < bridge-nf-0.0.10-against-2.4.20.diff </PRE> </DD> - <DT>What is the "ebtables" package and why should I use it?</DT> + <DT>What is the "ebtables" package and how do I install it?</DT> <DD> The <B>ebtables</B> package contains the ebtables userspace - tool. Namelly this ebtables binary is used to make filtering - rules for the Linux-based Ethernet bridge. The rules is applied - for bridged packets at Link Layer. The ebtables usage is very + tool. This ebtables binary is used to make filtering + rules for the Linux-based Ethernet bridge. All traffic entering + or leaving on a bridge port will be seen by the rules. The ebtables usage is very similar to the iptables, so it should not be so hard. Of course, there is a man page supplied. Just gunzip and untar the package and read the INSTALL file.<BR> @@ -98,8 +111,8 @@ <PRE> # make </PRE> - Put ebtables binary to the superuser binaries directory (f.e. - /usr/sbin) manually or + Copy the ebtables binary, man page and protocol file to the correct + directory (see the INSTALL file for options): <PRE> # make install </PRE> @@ -111,27 +124,94 @@ <LI> <B><A name="quiz2">Usage</A></B> <DL> - <DT>Can I drop the ARP packets in linux bridge box using the + <DT>Can I filter on ARP packets in the Linux bridge box using ebtables?</DT> - <DD>Yes, it's possible to filter the ARP packets (same as any - other Ethernet frames) using linux bridge and ebtables together. - According to the rule target, the frame can be dropped, accepted, - passed to next rule, etc.<BR> - See the <A href="ebtables.8.html">ebtables manual page</A> for + <DD>Yes, it's possible to filter on the ARP header, using ebtables. + See the <A href="ebtables.8.html">ebtables manual page</A> for details.</DD> - <DT>Can I use ebtables with iptables? Is there any problems to + <DT>Can I use ebtables with iptables? Are there any problems to use it together?</DT> <DD>Yes, it's possible to use ebtables with iptables. Detailed - info about ebtables/iptables interaction is explained at the page - <A href="br_fw_ia.html">"ebtables/iptables interaction on a - Linux-based bridge"</A></DD> - <DT>Can ebtables to do a frame accounting on my bridge?</DT> + info about ebtables/iptables interaction is explained at the + <A href="http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html"> + "ebtables/iptables interaction on a Linux-based bridge"</A> page.</DD> + <DT>Does ebtables keep count statistics?</DT> <DD> - Yes, it's possible to view bridged frames and bytes count by + Yes, it's possible to view the match and byte count for every rule, using <PRE> # ebtables -L --Lc </PRE> </DD> + <DT>When using the option --Lc, what does the pcnt value represent?</DT> + <DD> + Normally, pcnt will represent the number of frames that matched this rule. However, + if IP connection tracking is enabled, all fragmented IP packets will first be + defragmented. Therefore, the pcnt value for IP packets will then represent the + number of matched IP packets, not the number of matched frames containing IP fragments. + In the BROUTING chain however, pcnt will always represent the number of matched frames, since + the IP connection tracking is not done before this chain is traversed. + </DD> + <DT>What is this brouter stuff and when is it useful?</DT> + <DD> + The ebtables BROUTING chain gets traversed very early, namely right after a frame + is received on a forwarding bridge port. If a rule's decision is to route the frame, + the input device will remain the physical device of the bridge port and the bridge + code won't touch the frame. The frame will be processed by the network stack. If the + decision is to bridge the frame (the default behaviour), then the input device will + become the bridge device on which the port is enslaved and the bridge code will decide + what to do with the frame.</DD> + <DT>So, what's the difference between the ebtables BROUTING and PREROUTING chains?</DT> + <DD>The ebtables PREROUTING chain is only traversed when the bridge code is deciding what + to do with the frame. So, if a BROUTING chain rule decided the frame should be routed, then + the ebtables PREROUTING chain won't see it. See the + <A href="http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html"> + br_fw_ia</A> page for the details.</DD> + <DT>I'm using a 2.5.x or higher kernel and my iptables rules won't match on the bridge port + devices, what's wrong?</DT> + <DD> + There is one difference between the br-nf behaviour in the 2.5.x or higher kernels and + the 2.4.x patch. To get the br-nf code accepted into the standard 2.5.x kernels, we had to + remove the code that automatically checked on the bridge port in the iptables port checking + code (options -i and -o). Instead there is now an iptables match module that you have to use + to filter on the bridge ports. This kernel module is in the standard 2.5.x kernels and the + corresponding userspace module is available in the iptables userspace tool. See the iptables + man pages and +<PRE> +#iptables -m physdev -h +</PRE> + The kernel module has to be compiled in the kernel, the option ``physdev match support'' will + appear under the ``IP netfilter configuration'' when the bridge is already enabled in the + configuration. +</DD> + <DT>I want to use the most recent ebtables code, even if it's not yet in an official release. + How do I do this?</DT> + <DD> + The most recent code is available at the <A href="http://sourceforge.net/projects/ebtables"> + sourceforge ebtables</A> CVS repository. To get a copy of the repository, do the following: +<PRE> +#cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ebtables login +#cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ebtables co ebtables2 +</PRE> + The current userspace code is in the ebtables2/userspace/ebtables2 directory. To compile the + CVS userspace tool you'll need to do the following: +<PRE> +#make NONSTANDARD=y KERNEL_INCLUDES=/usr/src/linux/include/ +#make install +</PRE> + Obviously you'll need to use the right kernel directory. Why is compiling the CVS different? + Because the kernel include files are not maintained in the userspace directory of the CVS. + When a new ebtables release is made, the kernel include files get copied in the tar file, so + the standard installation knows where to get its kernel include files.</DD> + <DD>To copy the ebtables kernel 2.4.x code to a full 2.4.x kernel tree, use this script: +<PRE> +ebtables2/kernel/scripts/CopyRep +</PRE> +To copy the ebtables kernel 2.5.x code to a full 2.5.x kernel tree, use this script: +<PRE> +ebtables2/kernel/scripts/CopyRep2.5 +</PRE> + You'll need to adjust the variables $FROM and $TO in the script, for more information: read the + script.</DD> </DL> <BR> <A class=navbar href="#top">[Back to the top]</A> @@ -140,26 +220,21 @@ <LI> <B><A name="quiz3">Other</A></B><BR> <DL> - <DT>I'm not a Linux system programer, but I need a feature, which - is not (yet) implemented in the ebtables. What should I do?</DT> - <DD>Contact by email to ebtables developers directly or subscribe - to the <A href= - "https://lists.sourceforge.net/lists/listinfo/ebtables-user">ebtables - users mail list</A>. Then post short and clean description of - Your wanted feature to mail list.</DD> - <DT>I'm Linux system programmer and I can do any ebtables feature by - myself. What I should begin in that case?</DT> + <DT>I'm not a Linux system's programmer, but I need a feature, which + is not (yet) implemented in ebtables. What should I do?</DT> + <DD>Subscribe to the <A href= "https://lists.sourceforge.net/lists/listinfo/ebtables-user"> + ebtables users mailing list</A>. Then post a short and clean description of + your wanted feature to this mailing list.</DD> + <DT>I'm a C programmer and I want to add an ebtables feature by + myself. Where should I begin?</DT> <DD>Subscribe to the <A href= "https://lists.sourceforge.net/lists/listinfo/ebtables-devel">ebtables - developers mail list</A>. Learn the <A href= - "ebtables-hacking-HOWTO.html">"Ebtables Hacking HOWTO"</A>. - Create Your account at SourceForge.net (if You still haven't it) - and inform the Project Admin about Your intention to join to - ebtables developers and to make a new ebtables feature. After - that You should be able to working with ebtables source code, - which is placed at SourceForge cvs repository. Now You can make - Your ebtables feature or anything else (to drink a cup of coffee, - f.e. ;).</DD> + developers mail list</A>. Read the <A href= + "ebtables-hacking-HOWTO.html">"Ebtables Hacking HOWTO"</A> and + have a look at the already implemented modules. You will find that + adding a module is not very hard. Additional information is available + at the ebtables <A href="http://users.pandora.be/bart.de.schuymer/ebtables"> + homepage</A>.</DD> </DL> <BR> <A class=navbar href="#top">[Back to the top]</A> |