Re: [PATCH] brouted packet identified as PACKET_OTHERHOST blocked by higher protocol

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen•de>
To: "Yigal Reiss (yreiss)" <yreiss@cisco•com>
Cc: "netdev@vger•kernel.org" <netdev@vger•kernel.org>
Subject: Re: [PATCH] brouted packet identified as PACKET_OTHERHOST blocked by higher protocol
Date: Tue, 14 Jul 2015 13:59:49 +0200	[thread overview]
Message-ID: <20150714115949.GE25674@breakpoint.cc> (raw)
In-Reply-To: <3167EFAB95044A4EB6B134B9A39AA98A055B60A2@xmb-rcd-x05.cisco.com>

Yigal Reiss (yreiss) <yreiss@cisco•com> wrote:
> Florian Westphal [mailto:fw@strlen•de] wrote:
> > Maybe, but if you broute everything you might as well just remove the
> > bridge...
> I want to be selective. My setup is a home router. So I can have ebtables rules for 
> which traffic to (b)route and which to bridge, based on security/performance criteria.

This usually doesn't work since you can only safely use L3 headers
(unless you disallow ip fragmentation to occur -- else first fragment
 will be brouted, rest is bridged).

> > You can use -j redirect in ebtables broute table to force local MAC dnat
> > (this also 'fixes' the pkttype to _HOST) if you really want to broute.
> I may be missing something obvious, but what is the normal case where using an 
> ebtables 'broute' "-j DROP" rule does work?

It doesn't, (for ip protocols), as you discovered.
But there are other protocols too, so I'm not sure its good idea to
uncoditionally reset pkttype.

(It also changes long-standing behaviour).

Note that broute only "works" in some cases, such as brouting a specific
host.

'Sometimes bridged, sometimes routed' usually causes various issues,
such as ip addresses seemingly 'moving' to different host.

> What is the original intention of this table/chain if not pulling packets between 
> "other hosts" out of the bridge and passing them through the IP and higher layers?

No idea, I did not add this feature.

     prev parent reply	other threads:[~2015-07-14 11:59 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-14 10:37 [PATCH] brouted packet identified as PACKET_OTHERHOST blocked by higher protocol Yigal Reiss (yreiss)
2015-07-14 11:05 ` Florian Westphal
2015-07-14 11:18   ` Yigal Reiss (yreiss)
2015-07-14 11:35     ` Florian Westphal
2015-07-14 11:52       ` Yigal Reiss (yreiss)
2015-07-14 11:59         ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150714115949.GE25674@breakpoint.cc \
    --to=fw@strlen$(echo .)de \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=yreiss@cisco$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox