From 38b9d6db07da9643bffdd1a74d4b51e3b07dc2cb Mon Sep 17 00:00:00 2001 From: Bart De Schuymer Date: Sun, 9 Nov 2003 20:55:03 +0000 Subject: *** empty log message *** --- docs/ebtables-faq.html | 113 ++++++++++++++++++++----------------------------- 1 file changed, 45 insertions(+), 68 deletions(-) (limited to 'docs') diff --git a/docs/ebtables-faq.html b/docs/ebtables-faq.html index 7292bf9..bb44344 100644 --- a/docs/ebtables-faq.html +++ b/docs/ebtables-faq.html @@ -17,8 +17,8 @@ - -

Last modified: April 15, 2003

+ +

Last modified: November 09, 2003

Questions

  1. Intro
    2. @@ -39,7 +39,7 @@ Ethernet frame filtering, all kinds of frame NAT (Network Address Translation) and frame matching. The ebtables infrastructure is a part of the standard Linux 2.5.x (and above) kernels. -
    Why do I use it?
    +
    Why would I use it?
    To filter frames by MAC-address or frame type at Link Layer inside your Linux-based Ethernet bridge, to do some basic filtering of certain protocol headers, to @@ -51,52 +51,21 @@
  2. Installation
    -
    What should I know before ebtables installation?
    +
    How do I install the kernel part?
    First step is to decide what kernel version to use. If you want to use a 2.5.x (or above) kernel, then just use the latest and greatest kernel version. You won't have to patch the kernel. - Check out the submitted kernel patches, available through the - - sourcecode section of the ebtables - homepage to see if there are any pending patches.
    +
    3. If you want to use a 2.4.x kernel, then go to Ethernet bridge - tables and download the br_nf_bds, ebtables_kernel - and ebtables packages. Use the latest packages and use the - kernel version for which the kernel patches were made. The - ebtables_kernel patch has to be applied before the br_nf_bds - kernel patch.
    -
    What is the "ebtables_kernel" package and how do I install it?
    -
    - The ebtables_kernel package contains a patch against a - Linux 2.4.x kernel. It allows filtering on the Link Layer (OSI Layer - 2). It is well-known that iptables works on the Network Layer (OSI - Layer 3) and on higher layers. For a bridging firewall it is - important to be able to filter on the Link Layer as well.
    -
    Copy the patch file to the kernel source (usually it is named - /usr/src/linux or /usr/src/linux-2.X.YZ) and execute the following - (use the correct file names and directories where necessary) -
    -# cp ebtables-v2.0.003_vs_2.4.20.diff.gz /usr/src/linux
-# cd /usr/src/linux
-# gunzip ebtables-v2.0.003_vs_2.4.20.diff.gz 
-# patch -p1 < ebtables-v2.0.003_vs_2.4.20.diff
-
    + tables and download the latest patch from the 2.4-ebtables-brnf + package. Apply the patch as follows (substitute "linux" for the appropriate directory):
    -
    What is the "br-nf-bds" package and how do I install it?
    -
    - The br-nf-bds package contains a patch against a Linux - kernel that is already patched with the ebtables_kernel - patch. It adds the ability of iptables usage on bridge packets to make a - bridging firewall. Most work on this patch was done by - Lennert Buytenhek. The bridge-nf code is automatically compiled - into the patched kernel if the bridge and netfilter support is - enabled. 
    -# cp bridge-nf-0.0.10-against-2.4.20.diff.gz /usr/src/linux
+# cp ebtables-brnf-3_vs_2.4.22.diff.gz /usr/src/linux
 # cd /usr/src/linux
-# gunzip bridge-nf-0.0.10-against-2.4.20.diff.gz
-# patch -p1 < bridge-nf-0.0.10-against-2.4.20.diff
+# gunzip ebtables-brnf-3_vs_2.4.22.diff.gz
+# patch -p1 < ebtables-brnf-3_vs_2.4.22.diff
    What is the "ebtables" package and how do I install it?
    @@ -108,7 +77,7 @@ similar to the iptables, so it should not be so hard. Of course, there is a man page supplied. Just gunzip and untar the package and read the INSTALL file.
    - + 
     # make
    @@ -123,7 +92,7 @@
  3. - Usage + Usage
    Can I filter on ARP packets in the Linux bridge box using ebtables?
    @@ -131,8 +100,8 @@ See the ebtables manual page for details.
    Can I use ebtables with iptables? Are there any problems to - use it together? How exactly the packet/frame traversing the ebtables/iptables?
    -
    Yes, it's possible to use ebtables with iptables. Detailed + use it together? How exactly is the packet/frame traversing order for ebtables/iptables? +
    Yes, it's possible to use ebtables together with iptables, there are no incompatibility issues. Detailed info about ebtables/iptables interaction is explained at the "ebtables/iptables interaction on a Linux-based bridge" page.
    @@ -173,15 +142,15 @@ There is one difference between the br-nf behaviour in the 2.5.x or higher kernels and the 2.4.x patch. To get the br-nf code accepted into the standard 2.5.x kernels, we had to remove the code that automatically checked on the bridge port in the iptables port checking - code (options -i and -o). Instead there is now an iptables match module that you have to use - to filter on the bridge ports. This kernel module is in the standard 2.5.x kernels and the - corresponding userspace module is available in the iptables userspace tool. See the iptables - man pages and + code (options -i and -o). Instead there is now an iptables match module, called 'physdev', that + can be used to filter on the bridge ports. This match module has some extra options and + is in the standard 2.6 kernels, the corresponding userspace module is available in the + iptables userspace tool. See the iptables man pages and 
     # iptables -m physdev -h
    - The kernel module has to be compiled in the kernel, the option ``physdev match support'' will - appear under the ``IP netfilter configuration'' when the bridge is already enabled in the + The kernel module has to be compiled in the kernel, the option 'physdev match support' will + appear under the 'IP netfilter configuration' when the bridge is already enabled in the configuration.
    I want to use the most recent ebtables code, even if it's not yet in an official release. @@ -199,20 +168,19 @@ # make KERNEL_INCLUDES=/usr/src/linux/include/ # make install - Obviously you'll need to use the right kernel directory. Why is compiling the CVS different? + Obviously you'll need to use the right kernel directory. +
    Why is compiling the CVS different? Because the kernel include files are not maintained in the userspace directory of the CVS. When a new ebtables release is made, the kernel include files get copied in the tar file, so the standard installation knows where to get its kernel include files.
    -
    To copy the ebtables kernel 2.4.x code to a full 2.4.x kernel tree, use this script: -
    -ebtables2/kernel/scripts/CopyRep
-
    -To copy the ebtables kernel 2.5.x code to a full 2.5.x kernel tree, use this script: -
    -ebtables2/kernel/scripts/CopyRep2.5
-
    - You'll need to adjust the variables $FROM and $TO in the script, for more information: read the - script.
    +
    The ebtables CVS tree has its own kernel tree with ebtables related files (for 2.4 and 2.6). + The CVS directory (base_dir)/ebtables2/kernel/linux2.5/include/ can be used for compiling the userspace tool. +
    +
    New ebtables modules might not yet be in the standard kernel. The CVS directory + (base_dir)/ebtables2/kernel/linux2.5/net/bridge/netfilter/ contains the not yet submitted modules. The modules + that are already in the standard kernel are also in this directory and they are normally in sync with the latest + kernel release. +

    [Back to the top] @@ -221,17 +189,26 @@ ebtables2/kernel/scripts/CopyRep2.5
  4. Problems
    -
    My bridging box seems to drop all IP packets, which is not what I want and I'm sure my ebtables rules don't drop them.
    -
    Your iptables rules are probably dropping them then. On a Linux bridging firewall all bridge IP packets are seen by iptables, - so you should take that into account.
    +
    My bridging box seems to drop all IP packets, which is not what I want and I'm sure my + ebtables rules don't drop them.
    +
    Your iptables rules are probably dropping them then. By default, on a Linux bridging firewall all + bridged IP packets are seen by iptables, so you should take that into account.
    This stuff isn't working on my 64-bit machine with a 32-bit userspace (like the Sparc64)
    -
    We know. It's kind of hard to fix this without access to such a machine. The problem is caused by the - different word length between kernel and userspace.
    +
    As from ebtables v2.0.5, ebtables-brnf-2_vs_2.4.21.diff.gz and above 2.6.0-test1, it should work on a Sparc64. + In case it doesn't, please notify the ebtables-devel mailing list. Making it work on a different 64/32 processor + should be easy, but we'll wait for someone to come along who asks for this and who can consequently test the fix.
    +
    I'm getting a message that looks like: ``br_netfilter: Argh!! : bad mac.raw pointer''
    +
    We sometimes get reports about this message occurring. The bridge-nf code reports this message when a + specific irregularity is observed, in technical terms: the mac.raw pointer of the sk_buff isn't set properly. + The most likely cause of this is the network device driver. Since this only happens for a few persons, the + only way to debug this is if those persons are willing to try patches. Up until now this has not been the case.
    + The easiest solution is to try a different type of network card or a different device driver. +
    I'm getting this message when doing IP DNAT: ``Performing cross-bridge DNAT requires IP forwarding to be enabled''
    First make sure IP forwarding is enabled: 
    -# echo '1' > /proc/sys/net/ipv4/ip_forward
+# echo 1 > /proc/sys/net/ipv4/ip_forward
    If that's the case and the message doesn't go away, make sure your routing table has all necessary entries. For example, suppose we want to DNAT traffic on a bridge device that doesn't have an IP address to -- cgit v1.2.3