From fc1ceb248671e6d2cbdb2c8d9ef95f1205e0dee9 Mon Sep 17 00:00:00 2001
From: Bart De Schuymer
There are five hooks defined in the Linux bridging code.
The sixth hook (BROUTING) is added by the ebtables patch.
- The hooks are specific places in the network
- code on which software can attach itself to process the
- packets/frames passing that hook.
- Figure 2b. Ethernet Bridging hooks
+ Figure 2b. Ethernet bridging hooks
+
+
+ The hooks are specific places in the network + code on which software can attach itself to process the + packets/frames passing that place. For example, the kernel module responsible for the ebtables FORWARD chain is attached onto the bridge FORWARD hook. + This is done when the module is loaded into the kernel or at bootup. +
+
+ Note that the ebtables BROUTING and PREROUTING chains are traversed before the bridging decision, therefore these chains will even see frames that will be
+ ignored by the bridge. You should take that into account when using this chain. Also note that the chains won't see frames entering on a non-forwarding bridge port.
+ The bridge's decision for a frame (as seen on Figure 2b) can be one of these:
+
Figure 2c. Bridging tables (ebtables) traversal @@ -191,11 +211,6 @@ the destination MAC address, it doesn't care about the Network Layer addresses (e.g. IP address).
-If the bridge decides the frame is destined for the local computer, the frame will go through the INPUT chain. @@ -341,19 +356,6 @@ Changing the destination address of the packet (IP address and MAC address) has to happen before the bridge code decides what to do with the frame/packet. - The decision of the bridge code can be one of these: -
So, this IP DNAT has to happen very early in the bridge
@@ -626,7 +628,7 @@ Copyright (c) 2002 Bart De Schuymer <bart.de.schuymer@pandora.be>,
"http://www.gnu.org/licenses/fdl.txt">"GNU Free Documentation License".
- Last updated August 06, 2002. + Last updated August 07, 2002.