From 5c8b24817cb3907c9d635a2290d7f46cab8aea46 Mon Sep 17 00:00:00 2001
From: Bart De Schuymer <bdschuym@pandora.be>
Date: Tue, 30 Dec 2003 19:07:25 +0000
Subject: *** empty log message ***

---
 docs/arptables-faq.html |  56 +++++++++++++++++++
 docs/brnf-faq.html      | 146 ++++++++++++++++++++++++++++++++++++++++++++++++
 docs/brnf.css           |  73 ++++++++++++++++++++++++
 3 files changed, 275 insertions(+)
 create mode 100644 docs/arptables-faq.html
 create mode 100644 docs/brnf-faq.html
 create mode 100644 docs/brnf.css

diff --git a/docs/arptables-faq.html b/docs/arptables-faq.html
new file mode 100644
index 0000000..c1aaa8d
--- /dev/null
+++ b/docs/arptables-faq.html
@@ -0,0 +1,56 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<HEAD>
+	<TITLE>Arptables Frequently Asked Questions</TITLE>
+	<LINK rel="SHORTCUT ICON" href="">
+	<LINK rel="STYLESHEET" type="text/css" href="brnf.css">
+	<META name="description" content="Arptables Frequently Asked Questions">
+	<META name="author" content="Bart De Schuymer">
+	<META name="keywords" content="Linux, netfilter, firewall, bridge, arptables">
+	<META name="keywords" content="FAQ, kernel, arptables, chains, rules, tables">
+</HEAD>
+<BODY>
+	<DIV class="banner" align="center">
+		<H1>Arptables Frequently (and less frequently) Asked Questions</H1>
+	</DIV>
+	<A name="top"></A>
+	<P>Last modified: December 30, 2003</P>
+	<DL>
+		<DT>
+Why does arptables have 2 chains on a 2.4 kernel and 3 chains
+on a 2.6 kernel?
+		</DT>
+		<DD>
+The 2.4 kernel doesn't have the arptables FORWARD chain as 2.4
+kernels can't filter bridged ARP traffic.
+		</DD>
+		<DT>
+When is the bridged ARP traffic seen by arptables?
+		</DT>
+		<DD>
+The artables FORWARD chain sees all ARP packets that are being
+bridged, it sees no other traffic.
+		</DD>
+		<DT>
+What about ARP packets that arrive through a bridge port and
+are delivered to the bridge's local ARP stack?
+		</DT>
+		<DD>
+They are seen in the arptables INPUT chain and have as input
+device the logical bridge device, unless you broute them
+using ebtables. Brouted packets will have the physical bridge
+port as input device.
+		</DD>
+		<DT>
+What about locally generated ARP packets that leave the bridge
+through a logical bridge device?
+		</DT>
+		<DD>
+They are seen in the arptables OUTPUT chain and have as output
+device the logical bridge device.
+		</DD>
+	</DL>
+	<A class=navbar href="#top">[Back to the top]</A>
+	<HR>
+</BODY>
+</HTML>
diff --git a/docs/brnf-faq.html b/docs/brnf-faq.html
new file mode 100644
index 0000000..0fa94c4
--- /dev/null
+++ b/docs/brnf-faq.html
@@ -0,0 +1,146 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<HEAD>
+	<TITLE>Bridge-netfilter Frequently Asked Questions</TITLE>
+	<LINK rel="SHORTCUT ICON" href="">
+	<LINK rel="STYLESHEET" type="text/css" href="brnf.css">
+	<META name="description" content="Bridge-netfilter Frequently Asked Questions">
+	<META name="author" content="Bart De Schuymer">
+	<META name="keywords" content="Linux, netfilter, firewall, bridge, brouter, ebtables, iptables">
+	<META name="keywords" content="FAQ, kernel, ebtables, br-nf, brnf, bridge-nf, ethernet, nat, chains, rules, tables">
+</HEAD>
+<BODY>
+	<DIV class="banner" align="center">
+		<H1>Bridge-netfilter Frequently (and less frequently) Asked Questions</H1>
+	</DIV>
+	<A name="top"></A>
+	<P>Last modified: December 30, 2003</P>
+	<H2>Questions</H2>
+	<OL>
+		<LI class="question"><A href="#quiz0">Connection tracking</A></LI>
+		<LI class="question"><A href="#quiz1">General</A></LI>
+	</OL>
+	<H2>Answers</H2>
+	<OL>
+		<LI class="question">
+			<B><A name="quiz0">Connection tracking</A></B> 
+			<DL>
+				<DT>
+What happens when I enable connection tracking?
+				</DT>
+				<DD>
+By default, all IP packets will be seen by the connection
+tracking code. This code is called on the PF_INET/PRE_ROUTING
+and PF_INET/LOCAL_OUT hooks. For bridged packets, only the
+PRE_ROUTING connection tracking is important.
+				</DD>
+			</DL>
+			<DL>
+				<DT>
+What are the disadvantages of connection tracking on a bridging
+firewall?
+				</DT>
+				<DD>
+					<OL>
+						<LI>
+For an IP packet entering a bridge device, connection tracking
+is called before the bridge code decides what to do with the
+packet. This means that IP packets that will be discarded by
+the bridge code are tracked by connection tracking. For a router,
+the same is true, but a bridge also sees the traffic between
+hosts on the same side of a network. It's possible to prevent
+these packets from being seen by connection tracking: you can
+either drop them in the ebtables nat PREROUTING chain or use the
+iptables NOTRACK target.
+						</LI>
+						<LI>
+Fragmented IP packets (typically UDP traffic like NFS) are
+defragmented by the connection tracking code and refragmented
+before sending them out. This slows down traffic, but the
+transparancy of the firewall isn't diminished.
+						</LI>
+					</OL>
+				</DD>
+			</DL>
+			<A class=navbar href="#top">[Back to the top]</A>
+			<HR>
+		</LI>
+		<LI class="question">
+			<B><A name="quiz1">General</A></B> 
+			<DL>
+				<DT>
+What happens with IP DNAT on a to be bridged packet?
+				</DT>
+				<DD>
+If IP DNAT happened then the bridge-nf code asks the routing
+table where the packet should be sent. If it has to be sent
+over another device (not the bridge device) then the packet is
+routed (an implicit redirect). If the routing table sends the
+packet to the bridge device, then the packet is bridged but the
+MAC destination is correctly changed.
+				</DD>
+			</DL>
+			<DL>
+				<DT>
+How can I disable bridge-nf?
+				</DT>
+				<DD>
+If you don't want iptables and arptables to see bridged traffic,
+you can disable bridge-nf in the 2.6 kernel at compile time by
+disabling "Bridged IP/ARP packets filtering".
+				</DD>
+			</DL>
+			<DL>
+				<DT>
+Can I disable/enable bridge-nf specifics on-the-fly?
+				</DT>
+				<DD>
+As of kernel version 2.6.1, there are three sysctl entries for
+bridge-nf behavioral control (they can be found under
+/proc/sys/net/bridge/):
+					<UL>
+						<LI>
+bridge-nf-call-arptables - pass (1) or don't pass (0) bridged
+ARP traffic to arptables' FORWARD chain.
+						</LI>
+						<LI>
+bridge-nf-call-iptables - pass (1) or don't pass (0) bridged
+IPv4 traffic to iptables' chains.
+						</LI>
+						<LI>
+bridge-nf-filter-vlan-tagged - pass (1) or don't pass (0)
+bridged vlan-tagged ARP/IP traffic to arptables/iptables.
+						</LI>
+					</UL>
+				</DD>
+			</DL>
+			
+			<DL>
+				<DT>
+Do {ip,arp}tables see VLAN tagged IP/ARP traffic on an untagged
+bridge?
+				</DT>
+				<DD>
+Yes. Kernel versions 2.6.0-test7 and above have this
+functionality. Patch ebtables-brnf-3-vs-2.4.22 and later patches
+(for 2.4) have this functionality too.
+				</DD>
+				<DT>
+Do {ip,arp}tables see encapsulated 802.2/802.3 IP/ARP traffic?
+				</DT>
+				<DD>
+No. Adding this shouldn't be that hard though.
+				</DD>
+				<DT>
+Does ip6tables see any bridge IPv6 traffic?
+				</DT>
+				<DD>
+Nope, it's on the todo-list.
+				</DD>
+			</DL>
+			<A class=navbar href="#top">[Back to the top]</A>
+			<HR>
+		</LI>
+	</OL>
+</BODY>
+</HTML>
diff --git a/docs/brnf.css b/docs/brnf.css
new file mode 100644
index 0000000..a99ead0
--- /dev/null
+++ b/docs/brnf.css
@@ -0,0 +1,73 @@
+H1 { FONT: bold 20pt Times, serif; TEXT-ALIGN: center; TEXT-DECORATION: none }
+H2 { font: arial }
+P  {  FONT: 14pt Times, serif }
+LI.question {  FONT: 18pt Times, serif;  margin-top: 5pt; }
+PRE { FONT: 14pt Courier, monospace;
+ margin-top: 5pt;
+ margin-bottom: 5pt;
+ background-color: white;
+ color: black;
+ }
+
+<<<<<<< ebtables.css
+:link { color: #ccff66 }
+:visited { color: #9933ff } 
+=======
+:link { color: #993399 }  
+:visited { color: #6633cc } 
+>>>>>>> 1.2
+:active { color: #0000FF;  } 
+:hover { color: #3300ff;  }
+
+A {
+ text-decoration: none;
+}
+
+.navbar { FONT: 12pt Courier, monospace; font-weight: bolder;  
+ }
+
+.statement { TEXT-DECORATION: underline }
+.section { FONT: bold 22pt Times }
+.case { FONT-STYLE: italic }
+.note {  
+ font-family: Arial;
+ font-weight: normal;
+ font-size: 14pt;
+ padding-left: 0.4em;
+ border: solid;
+ border-width: thin;
+ border-left: solid;
+ border-right: none;
+ border-top: none;
+ border-bottom: none;
+ border-left-width: thin;
+ border-color: red;
+ margin-top: 0.2em;
+ margin-bottom: 0.2em;
+}
+
+DIV {
+ border: solid;
+ border-width: thin;
+ background-color: #ffcc99
+}
+
+BODY {
+ background-color: white;
+}
+
+DT {
+ color: #ff0033;
+ font-size: 12pt; 
+ font-style: italic;
+ font-weight: bold;
+ font-family: Arial;
+ margin-top: 10pt;
+ margin-bottom: 5pt;
+}
+DD {
+ color: black;
+ font-size: 12pt;
+ font-style: normal;
+ font-family: Helvetica;
+}
-- 
cgit v1.2.3