OpenWrt Forum Archive

Topic: Bridging & NetFilter modules... must be simple... but...

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
seb
19 Dec 2007, 23:06

Hello all,

I'm trying to do something pretty simple (well at least it should?!?!) and after hours and hours of web searching and configuration attempts, I decided to post here...

I am using kamikaze 7.09 with a wrt54gl and linux kernel 2.6. I want to filter some packets (using a netfilter kernel module) that are exchanged between two ports of my router, these ports are configured in separate vlans and bridged together like this:

    config switch eth0
            option vlan0    "0 1 5*"
            option vlan1    "2 5"
            option vlan2    "3 5"

    config interface loopback
            option ifname   "lo"
            option proto    static
            option ipaddr   127.0.0.1
            option netmask  255.0.0.0

    config interface lan
            option type     bridge
            option ifname   "eth0.0"
            option proto    static
            option ipaddr   192.168.1.1
            option netmask  255.255.255.0

    config interface test
            option type     bridge
            option ifname   "eth0.1 eth0.2"
            option proto    none

As you can imagine, I have two computers plugged on ports 2 and 3. To make my debugging easy, I gave these computers a fixed ip address in the 192.168.2.XXX range.

I built a small kernel netfilter module with a PF_INET/NF_IP_PRE_ROUTING hook. For now, this hook simply uses printk to output the in interface name, the source ip address and the destination address of all the traffic on br-test.

On one of the computers, I start a ping of the other computer and I look at my kernel logs.

On my first attempt, the ping was going through successfully, but I was not able to see any traffic on this bridge interface. After a few research, I learned that by default the linux kernel will see only the traffic destined to the router and not the bridged traffic. I saw two options: using eptables and using bridge-nf. This last option seems simpler for my needs. So, as suggested in another post, I modified the file /target/linux/brcm47xx/config-2.6.23 and added CONFIG_BRIDGE_NETFILTER=y

I rebuilt my kernel and now with the same network configuration and kernel module, I see all the expected traffic on br-test, but the request does not reach the remote host, i.e. the sender of the ping reports "Request timed out", and the receiver of the ping does not show anything in a network trace.

What am I missing?

Thanks in advance, hope I've been clear enough!

Seb

Post #2
camh
20 Dec 2007, 00:09

Sorry if this is obvious, but have you checked the default policy for forwarding is not DROP? or you have a last rule that does a DROP/REJECT? I'm not sure what chains bridge packets go through, but it sounds like whichever one it does is dropping the packets.

Post #3
seb
20 Dec 2007, 03:25

The obvious was... well... obvious smile

Doing iptables -L -v, I saw lots of packets being dropped by the FORWARD policy (the default policy is DROP for this chain). I didn't even think at looking there as it was working before activating bridge-nf, but now that the packets are handled by netfilter, it all makes sense.

I simply added a rule to the forwarding_rule chain to ACCEPT everything on br-test and surprise, it works!

Thanks a lot for your answer! I'm learning... I'm learning smile

The discussion might have continued from here.