summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/arptables-faq.html56
-rw-r--r--docs/brnf-faq.html146
-rw-r--r--docs/brnf.css73
3 files changed, 275 insertions, 0 deletions
diff --git a/docs/arptables-faq.html b/docs/arptables-faq.html
new file mode 100644
index 0000000..c1aaa8d
--- /dev/null
+++ b/docs/arptables-faq.html
@@ -0,0 +1,56 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<HEAD>
+ <TITLE>Arptables Frequently Asked Questions</TITLE>
+ <LINK rel="SHORTCUT ICON" href="">
+ <LINK rel="STYLESHEET" type="text/css" href="brnf.css">
+ <META name="description" content="Arptables Frequently Asked Questions">
+ <META name="author" content="Bart De Schuymer">
+ <META name="keywords" content="Linux, netfilter, firewall, bridge, arptables">
+ <META name="keywords" content="FAQ, kernel, arptables, chains, rules, tables">
+</HEAD>
+<BODY>
+ <DIV class="banner" align="center">
+ <H1>Arptables Frequently (and less frequently) Asked Questions</H1>
+ </DIV>
+ <A name="top"></A>
+ <P>Last modified: December 30, 2003</P>
+ <DL>
+ <DT>
+Why does arptables have 2 chains on a 2.4 kernel and 3 chains
+on a 2.6 kernel?
+ </DT>
+ <DD>
+The 2.4 kernel doesn't have the arptables FORWARD chain as 2.4
+kernels can't filter bridged ARP traffic.
+ </DD>
+ <DT>
+When is the bridged ARP traffic seen by arptables?
+ </DT>
+ <DD>
+The artables FORWARD chain sees all ARP packets that are being
+bridged, it sees no other traffic.
+ </DD>
+ <DT>
+What about ARP packets that arrive through a bridge port and
+are delivered to the bridge's local ARP stack?
+ </DT>
+ <DD>
+They are seen in the arptables INPUT chain and have as input
+device the logical bridge device, unless you broute them
+using ebtables. Brouted packets will have the physical bridge
+port as input device.
+ </DD>
+ <DT>
+What about locally generated ARP packets that leave the bridge
+through a logical bridge device?
+ </DT>
+ <DD>
+They are seen in the arptables OUTPUT chain and have as output
+device the logical bridge device.
+ </DD>
+ </DL>
+ <A class=navbar href="#top">[Back to the top]</A>
+ <HR>
+</BODY>
+</HTML>
diff --git a/docs/brnf-faq.html b/docs/brnf-faq.html
new file mode 100644
index 0000000..0fa94c4
--- /dev/null
+++ b/docs/brnf-faq.html
@@ -0,0 +1,146 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<HEAD>
+ <TITLE>Bridge-netfilter Frequently Asked Questions</TITLE>
+ <LINK rel="SHORTCUT ICON" href="">
+ <LINK rel="STYLESHEET" type="text/css" href="brnf.css">
+ <META name="description" content="Bridge-netfilter Frequently Asked Questions">
+ <META name="author" content="Bart De Schuymer">
+ <META name="keywords" content="Linux, netfilter, firewall, bridge, brouter, ebtables, iptables">
+ <META name="keywords" content="FAQ, kernel, ebtables, br-nf, brnf, bridge-nf, ethernet, nat, chains, rules, tables">
+</HEAD>
+<BODY>
+ <DIV class="banner" align="center">
+ <H1>Bridge-netfilter Frequently (and less frequently) Asked Questions</H1>
+ </DIV>
+ <A name="top"></A>
+ <P>Last modified: December 30, 2003</P>
+ <H2>Questions</H2>
+ <OL>
+ <LI class="question"><A href="#quiz0">Connection tracking</A></LI>
+ <LI class="question"><A href="#quiz1">General</A></LI>
+ </OL>
+ <H2>Answers</H2>
+ <OL>
+ <LI class="question">
+ <B><A name="quiz0">Connection tracking</A></B>
+ <DL>
+ <DT>
+What happens when I enable connection tracking?
+ </DT>
+ <DD>
+By default, all IP packets will be seen by the connection
+tracking code. This code is called on the PF_INET/PRE_ROUTING
+and PF_INET/LOCAL_OUT hooks. For bridged packets, only the
+PRE_ROUTING connection tracking is important.
+ </DD>
+ </DL>
+ <DL>
+ <DT>
+What are the disadvantages of connection tracking on a bridging
+firewall?
+ </DT>
+ <DD>
+ <OL>
+ <LI>
+For an IP packet entering a bridge device, connection tracking
+is called before the bridge code decides what to do with the
+packet. This means that IP packets that will be discarded by
+the bridge code are tracked by connection tracking. For a router,
+the same is true, but a bridge also sees the traffic between
+hosts on the same side of a network. It's possible to prevent
+these packets from being seen by connection tracking: you can
+either drop them in the ebtables nat PREROUTING chain or use the
+iptables NOTRACK target.
+ </LI>
+ <LI>
+Fragmented IP packets (typically UDP traffic like NFS) are
+defragmented by the connection tracking code and refragmented
+before sending them out. This slows down traffic, but the
+transparancy of the firewall isn't diminished.
+ </LI>
+ </OL>
+ </DD>
+ </DL>
+ <A class=navbar href="#top">[Back to the top]</A>
+ <HR>
+ </LI>
+ <LI class="question">
+ <B><A name="quiz1">General</A></B>
+ <DL>
+ <DT>
+What happens with IP DNAT on a to be bridged packet?
+ </DT>
+ <DD>
+If IP DNAT happened then the bridge-nf code asks the routing
+table where the packet should be sent. If it has to be sent
+over another device (not the bridge device) then the packet is
+routed (an implicit redirect). If the routing table sends the
+packet to the bridge device, then the packet is bridged but the
+MAC destination is correctly changed.
+ </DD>
+ </DL>
+ <DL>
+ <DT>
+How can I disable bridge-nf?
+ </DT>
+ <DD>
+If you don't want iptables and arptables to see bridged traffic,
+you can disable bridge-nf in the 2.6 kernel at compile time by
+disabling "Bridged IP/ARP packets filtering".
+ </DD>
+ </DL>
+ <DL>
+ <DT>
+Can I disable/enable bridge-nf specifics on-the-fly?
+ </DT>
+ <DD>
+As of kernel version 2.6.1, there are three sysctl entries for
+bridge-nf behavioral control (they can be found under
+/proc/sys/net/bridge/):
+ <UL>
+ <LI>
+bridge-nf-call-arptables - pass (1) or don't pass (0) bridged
+ARP traffic to arptables' FORWARD chain.
+ </LI>
+ <LI>
+bridge-nf-call-iptables - pass (1) or don't pass (0) bridged
+IPv4 traffic to iptables' chains.
+ </LI>
+ <LI>
+bridge-nf-filter-vlan-tagged - pass (1) or don't pass (0)
+bridged vlan-tagged ARP/IP traffic to arptables/iptables.
+ </LI>
+ </UL>
+ </DD>
+ </DL>
+
+ <DL>
+ <DT>
+Do {ip,arp}tables see VLAN tagged IP/ARP traffic on an untagged
+bridge?
+ </DT>
+ <DD>
+Yes. Kernel versions 2.6.0-test7 and above have this
+functionality. Patch ebtables-brnf-3-vs-2.4.22 and later patches
+(for 2.4) have this functionality too.
+ </DD>
+ <DT>
+Do {ip,arp}tables see encapsulated 802.2/802.3 IP/ARP traffic?
+ </DT>
+ <DD>
+No. Adding this shouldn't be that hard though.
+ </DD>
+ <DT>
+Does ip6tables see any bridge IPv6 traffic?
+ </DT>
+ <DD>
+Nope, it's on the todo-list.
+ </DD>
+ </DL>
+ <A class=navbar href="#top">[Back to the top]</A>
+ <HR>
+ </LI>
+ </OL>
+</BODY>
+</HTML>
diff --git a/docs/brnf.css b/docs/brnf.css
new file mode 100644
index 0000000..a99ead0
--- /dev/null
+++ b/docs/brnf.css
@@ -0,0 +1,73 @@
+H1 { FONT: bold 20pt Times, serif; TEXT-ALIGN: center; TEXT-DECORATION: none }
+H2 { font: arial }
+P { FONT: 14pt Times, serif }
+LI.question { FONT: 18pt Times, serif; margin-top: 5pt; }
+PRE { FONT: 14pt Courier, monospace;
+ margin-top: 5pt;
+ margin-bottom: 5pt;
+ background-color: white;
+ color: black;
+ }
+
+<<<<<<< ebtables.css
+:link { color: #ccff66 }
+:visited { color: #9933ff }
+=======
+:link { color: #993399 }
+:visited { color: #6633cc }
+>>>>>>> 1.2
+:active { color: #0000FF; }
+:hover { color: #3300ff; }
+
+A {
+ text-decoration: none;
+}
+
+.navbar { FONT: 12pt Courier, monospace; font-weight: bolder;
+ }
+
+.statement { TEXT-DECORATION: underline }
+.section { FONT: bold 22pt Times }
+.case { FONT-STYLE: italic }
+.note {
+ font-family: Arial;
+ font-weight: normal;
+ font-size: 14pt;
+ padding-left: 0.4em;
+ border: solid;
+ border-width: thin;
+ border-left: solid;
+ border-right: none;
+ border-top: none;
+ border-bottom: none;
+ border-left-width: thin;
+ border-color: red;
+ margin-top: 0.2em;
+ margin-bottom: 0.2em;
+}
+
+DIV {
+ border: solid;
+ border-width: thin;
+ background-color: #ffcc99
+}
+
+BODY {
+ background-color: white;
+}
+
+DT {
+ color: #ff0033;
+ font-size: 12pt;
+ font-style: italic;
+ font-weight: bold;
+ font-family: Arial;
+ margin-top: 10pt;
+ margin-bottom: 5pt;
+}
+DD {
+ color: black;
+ font-size: 12pt;
+ font-style: normal;
+ font-family: Helvetica;
+}