summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart De Schuymer <bdschuym@pandora.be>2003-02-15 13:47:40 +0000
committerBart De Schuymer <bdschuym@pandora.be>2003-02-15 13:47:40 +0000
commit9ea96e2d24e2576a995f766c1fd0de1dd3f1f50e (patch)
tree7cbf03eaa4985a0b651e64fd6e68d09ade22be55
parent740d3e89cc3631c36a9a15e1a8b64629fa3681f6 (diff)
added some entries
-rw-r--r--docs/ebtables-faq.html203
1 files changed, 139 insertions, 64 deletions
diff --git a/docs/ebtables-faq.html b/docs/ebtables-faq.html
index e40ed48..8fafbc2 100644
--- a/docs/ebtables-faq.html
+++ b/docs/ebtables-faq.html
@@ -11,7 +11,7 @@
<META name="keywords" content=
"Linux, netfilter, firewall, bridge, brouter, ebtables, iptables">
<META name="keywords" content=
- "FAQ, kernel, br-nf, br-nf-bds, ethernet, nat, chains, rules, tables">
+ "FAQ, kernel, ebtables, br-nf, br-nf-bds, ethernet, nat, chains, rules, tables">
</HEAD>
<BODY>
<DIV class="banner" align="center">
@@ -30,15 +30,18 @@
<LI>
<B><A name="quiz0">Intro</A></B>
<DL>
- <DT>What is the ebtables?</DT>
- <DD>The ebtables project is the Linux 2.4.x Link Layer
- firewalling subsystem. It delivers for Linux the functionality of
+ <DT>What is ebtables?</DT>
+ <DD>The ebtables project is the Linux 2.5.x (and above) Link Layer
+ firewalling subsystem, a patch for 2.4.x is maintained too.
+ It delivers for Linux the functionality of
Ethernet frame filtering, all kinds of frame NAT (Network Address
- Translation) and frame matching. Currently ebtables is not a part
- of 2.4.x kernels, but now in the &gt;=2.5.40 kernels.</DD>
+ Translation) and frame matching. The ebtables infrastructure is
+ a part of the standard Linux 2.5.x (and above) kernels.</DD>
<DT>Why do I use it?</DT>
- <DD>Probably, to filter frames by MAC-address or frame type at
- Link Layer inside Your Linux-based Ethernet bridge.</DD>
+ <DD>To filter frames by MAC-address or frame type at
+ Link Layer inside your Linux-based Ethernet bridge, to do
+ some basic filtering of certain protocol headers, to
+ make a Linux brouter.</DD>
</DL>
<A class=navbar href="#top">[Back to the top]</A>
<HR>
@@ -46,51 +49,61 @@
<LI>
<B><A name="quiz1">Installation</A></B>
<DL>
- <DT>What should I do to know before ebtables installation?</DT>
- <DD>First step is to check what the kernel version will be used
- with ebtables. If the kernel version above than 2.5.39 was
- installed, then kernel sources need no to be patched by the
- <B>ebtables_kernel</B> and <B>br-nf-bds</B> patches. Go to <A
- href="http://sourceforge.net/projects/ebtables/">Ethernet bridge
- tables</A> and download <B>br_nf_bds</B>, <B>ebtables_kernel</B>
- and <B>ebtables</B> packages.</DD>
- <DT>What is the "ebtables_kernel" package and why should I use
- it?</DT>
+ <DT>What should I know before ebtables installation?</DT>
+ <DD>First step is to decide what kernel version to use. If you
+ want to use a 2.5.x (or above) kernel, then just use the latest
+ and greatest kernel version. You won't have to patch the kernel.
+ Check out the submitted kernel patches, available through the
+ <A href="http://users.pandora.be/bart.de.schuymer/ebtables/sourcecode.html">
+ sourcecode</A> section of the ebtables <A href="http://users.pandora.be/bart.de.schuymer/ebtables">
+ homepage</A> to see if there have been patches applied in later
+ kernel versions than the one you are using.</DD>
+ <DD>If you want to use a 2.4.x kernel, then go to
+ <A href="http://sourceforge.net/projects/ebtables/">Ethernet bridge
+ tables</A> and download the <B>br_nf_bds</B>, <B>ebtables_kernel</B>
+ and <B>ebtables</B> packages. Use the latest packages and use the
+ kernel version for which the kernel patches were made. The
+ <B>ebtables_kernel</B> patch has to be applied before the <B>br_nf_bds</B>
+ kernel patch.</DD>
+ <DT>What is the "ebtables_kernel" package and how do I install it?</DT>
<DD>
The <B>ebtables_kernel</B> package contains a patch against a
- Linux kernel. It allows filtering on the Link Layer (OSI Layer
- 2). Well know that iptables works on the Network Layer (OSI
- Layer 3) and on the upper layers. For a bridging firewall it is
- important to be able to filter on Link Layer as well. Copy
- patch file to the kernel source (usually it named
- /usr/src/linux or /usr/src/linux-2.X.YY) and execute
+ Linux 2.4.x kernel. It allows filtering on the Link Layer (OSI Layer
+ 2). It is well-known that iptables works on the Network Layer (OSI
+ Layer 3) and on higher layers. For a bridging firewall it is
+ important to be able to filter on the Link Layer as well.</DD>
+ <DD>Copy the patch file to the kernel source (usually it is named
+ /usr/src/linux or /usr/src/linux-2.X.YZ) and execute the following
+ (use the correct file names and directories where necessary)
<PRE>
+# cd /usr/src/linux
# cp ebtables-v2.0.003_vs_2.4.20.diff.gz /usr/src/linux
# gunzip ebtables-v2.0.003_vs_2.4.20.diff.gz
# patch -p1 &lt; ebtables-v2.0.003_vs_2.4.20.diff
</PRE>
</DD>
- <DT>What is the "br-nf-bds" package and why should I use it?</DT>
+ <DT>What is the "br-nf-bds" package and how do I install it?</DT>
<DD>
- The <B>br-nf-bds</B> package contains a patch against Linux
+ The <B>br-nf-bds</B> package contains a patch against a Linux
kernel that is already patched with the <B>ebtables_kernel</B>
- patch. It add ability of iptables usage on a bridge to make a
- bridging firewall. The big part of this patch was complete by
+ patch. It adds the ability of iptables usage on bridge packets to make a
+ bridging firewall. Most work on this patch was done by
Lennert Buytenhek. The bridge-nf code is automatically compiled
into the patched kernel if the bridge and netfilter support is
enabled.
<PRE>
+# cd /usr/src/linux
# cp bridge-nf-0.0.10-against-2.4.20.diff.gz /usr/src/linux
# gunzip bridge-nf-0.0.10-against-2.4.20.diff.gz
# patch -p1 &lt; bridge-nf-0.0.10-against-2.4.20.diff
</PRE>
</DD>
- <DT>What is the "ebtables" package and why should I use it?</DT>
+ <DT>What is the "ebtables" package and how do I install it?</DT>
<DD>
The <B>ebtables</B> package contains the ebtables userspace
- tool. Namelly this ebtables binary is used to make filtering
- rules for the Linux-based Ethernet bridge. The rules is applied
- for bridged packets at Link Layer. The ebtables usage is very
+ tool. This ebtables binary is used to make filtering
+ rules for the Linux-based Ethernet bridge. All traffic entering
+ or leaving on a bridge port will be seen by the rules. The ebtables usage is very
similar to the iptables, so it should not be so hard. Of
course, there is a man page supplied. Just gunzip and untar the
package and read the INSTALL file.<BR>
@@ -98,8 +111,8 @@
<PRE>
# make
</PRE>
- Put ebtables binary to the superuser binaries directory (f.e.
- /usr/sbin) manually or
+ Copy the ebtables binary, man page and protocol file to the correct
+ directory (see the INSTALL file for options):
<PRE>
# make install
</PRE>
@@ -111,27 +124,94 @@
<LI>
<B><A name="quiz2">Usage</A></B>
<DL>
- <DT>Can I drop the ARP packets in linux bridge box using the
+ <DT>Can I filter on ARP packets in the Linux bridge box using
ebtables?</DT>
- <DD>Yes, it's possible to filter the ARP packets (same as any
- other Ethernet frames) using linux bridge and ebtables together.
- According to the rule target, the frame can be dropped, accepted,
- passed to next rule, etc.<BR>
- See the <A href="ebtables.8.html">ebtables manual page</A> for
+ <DD>Yes, it's possible to filter on the ARP header, using ebtables.
+ See the <A href="ebtables.8.html">ebtables manual page</A> for
details.</DD>
- <DT>Can I use ebtables with iptables? Is there any problems to
+ <DT>Can I use ebtables with iptables? Are there any problems to
use it together?</DT>
<DD>Yes, it's possible to use ebtables with iptables. Detailed
- info about ebtables/iptables interaction is explained at the page
- <A href="br_fw_ia.html">"ebtables/iptables interaction on a
- Linux-based bridge"</A></DD>
- <DT>Can ebtables to do a frame accounting on my bridge?</DT>
+ info about ebtables/iptables interaction is explained at the
+ <A href="http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html">
+ "ebtables/iptables interaction on a Linux-based bridge"</A> page.</DD>
+ <DT>Does ebtables keep count statistics?</DT>
<DD>
- Yes, it's possible to view bridged frames and bytes count by
+ Yes, it's possible to view the match and byte count for every rule, using
<PRE>
# ebtables -L --Lc
</PRE>
</DD>
+ <DT>When using the option --Lc, what does the pcnt value represent?</DT>
+ <DD>
+ Normally, pcnt will represent the number of frames that matched this rule. However,
+ if IP connection tracking is enabled, all fragmented IP packets will first be
+ defragmented. Therefore, the pcnt value for IP packets will then represent the
+ number of matched IP packets, not the number of matched frames containing IP fragments.
+ In the BROUTING chain however, pcnt will always represent the number of matched frames, since
+ the IP connection tracking is not done before this chain is traversed.
+ </DD>
+ <DT>What is this brouter stuff and when is it useful?</DT>
+ <DD>
+ The ebtables BROUTING chain gets traversed very early, namely right after a frame
+ is received on a forwarding bridge port. If a rule's decision is to route the frame,
+ the input device will remain the physical device of the bridge port and the bridge
+ code won't touch the frame. The frame will be processed by the network stack. If the
+ decision is to bridge the frame (the default behaviour), then the input device will
+ become the bridge device on which the port is enslaved and the bridge code will decide
+ what to do with the frame.</DD>
+ <DT>So, what's the difference between the ebtables BROUTING and PREROUTING chains?</DT>
+ <DD>The ebtables PREROUTING chain is only traversed when the bridge code is deciding what
+ to do with the frame. So, if a BROUTING chain rule decided the frame should be routed, then
+ the ebtables PREROUTING chain won't see it. See the
+ <A href="http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html">
+ br_fw_ia</A> page for the details.</DD>
+ <DT>I'm using a 2.5.x or higher kernel and my iptables rules won't match on the bridge port
+ devices, what's wrong?</DT>
+ <DD>
+ There is one difference between the br-nf behaviour in the 2.5.x or higher kernels and
+ the 2.4.x patch. To get the br-nf code accepted into the standard 2.5.x kernels, we had to
+ remove the code that automatically checked on the bridge port in the iptables port checking
+ code (options -i and -o). Instead there is now an iptables match module that you have to use
+ to filter on the bridge ports. This kernel module is in the standard 2.5.x kernels and the
+ corresponding userspace module is available in the iptables userspace tool. See the iptables
+ man pages and
+<PRE>
+#iptables -m physdev -h
+</PRE>
+ The kernel module has to be compiled in the kernel, the option ``physdev match support'' will
+ appear under the ``IP netfilter configuration'' when the bridge is already enabled in the
+ configuration.
+</DD>
+ <DT>I want to use the most recent ebtables code, even if it's not yet in an official release.
+ How do I do this?</DT>
+ <DD>
+ The most recent code is available at the <A href="http://sourceforge.net/projects/ebtables">
+ sourceforge ebtables</A> CVS repository. To get a copy of the repository, do the following:
+<PRE>
+#cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ebtables login
+#cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ebtables co ebtables2
+</PRE>
+ The current userspace code is in the ebtables2/userspace/ebtables2 directory. To compile the
+ CVS userspace tool you'll need to do the following:
+<PRE>
+#make NONSTANDARD=y KERNEL_INCLUDES=/usr/src/linux/include/
+#make install
+</PRE>
+ Obviously you'll need to use the right kernel directory. Why is compiling the CVS different?
+ Because the kernel include files are not maintained in the userspace directory of the CVS.
+ When a new ebtables release is made, the kernel include files get copied in the tar file, so
+ the standard installation knows where to get its kernel include files.</DD>
+ <DD>To copy the ebtables kernel 2.4.x code to a full 2.4.x kernel tree, use this script:
+<PRE>
+ebtables2/kernel/scripts/CopyRep
+</PRE>
+To copy the ebtables kernel 2.5.x code to a full 2.5.x kernel tree, use this script:
+<PRE>
+ebtables2/kernel/scripts/CopyRep2.5
+</PRE>
+ You'll need to adjust the variables $FROM and $TO in the script, for more information: read the
+ script.</DD>
</DL>
<BR>
<A class=navbar href="#top">[Back to the top]</A>
@@ -140,26 +220,21 @@
<LI>
<B><A name="quiz3">Other</A></B><BR>
<DL>
- <DT>I'm not a Linux system programer, but I need a feature, which
- is not (yet) implemented in the ebtables. What should I do?</DT>
- <DD>Contact by email to ebtables developers directly or subscribe
- to the <A href=
- "https://lists.sourceforge.net/lists/listinfo/ebtables-user">ebtables
- users mail list</A>. Then post short and clean description of
- Your wanted feature to mail list.</DD>
- <DT>I'm Linux system programmer and I can do any ebtables feature by
- myself. What I should begin in that case?</DT>
+ <DT>I'm not a Linux system's programmer, but I need a feature, which
+ is not (yet) implemented in ebtables. What should I do?</DT>
+ <DD>Subscribe to the <A href= "https://lists.sourceforge.net/lists/listinfo/ebtables-user">
+ ebtables users mailing list</A>. Then post a short and clean description of
+ your wanted feature to this mailing list.</DD>
+ <DT>I'm a C programmer and I want to add an ebtables feature by
+ myself. Where should I begin?</DT>
<DD>Subscribe to the <A href=
"https://lists.sourceforge.net/lists/listinfo/ebtables-devel">ebtables
- developers mail list</A>. Learn the <A href=
- "ebtables-hacking-HOWTO.html">"Ebtables Hacking HOWTO"</A>.
- Create Your account at SourceForge.net (if You still haven't it)
- and inform the Project Admin about Your intention to join to
- ebtables developers and to make a new ebtables feature. After
- that You should be able to working with ebtables source code,
- which is placed at SourceForge cvs repository. Now You can make
- Your ebtables feature or anything else (to drink a cup of coffee,
- f.e. ;).</DD>
+ developers mail list</A>. Read the <A href=
+ "ebtables-hacking-HOWTO.html">"Ebtables Hacking HOWTO"</A> and
+ have a look at the already implemented modules. You will find that
+ adding a module is not very hard. Additional information is available
+ at the ebtables <A href="http://users.pandora.be/bart.de.schuymer/ebtables">
+ homepage</A>.</DD>
</DL>
<BR>
<A class=navbar href="#top">[Back to the top]</A>