OpenWrt Forum Archive

Topic: Ebtables kernel error

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
aldemirenes
7 Apr 2016, 22:16

I have a setup at home as follow:

DHCP clients  -----> (wifi)(bridge) Openwrt -----> (eth)Main Router

The device I'm using is TPlink MR3020 with Barrier Breaker and I tried to set up transparent proxy for bridge traffic - I want to redirect the packets passing through the bridge to proxy server(`privoxy`). I tried to use `ebtables`. But when I enter the following command: 

 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

I got following error:

    Unable to update the kernel. Two possible causes:
    1. Multiple ebtables programs were executing simultaneously. The ebtables
    userspace tool doesn't by default support multiple ebtables programs running
    concurrently. The ebtables option --concurrent or a tool like flock can be
    used to support concurrent scripts that update the ebtables kernel tables.
    2. The kernel doesn't support a certain ebtables extension, consider
    recompiling your kernel or insmod the extension.

I tried to activate the IPv4 package with `insmod`, but no luck.

Any ideas on how to accomplish this?

Post #2
aldemirenes
8 Apr 2016, 18:47

Anyone with answer ?

Post #3
cvmiller
10 Apr 2016, 17:34

> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

It looks to me like you have conflicting protocols, specifying IPv4 with -p but also specifying IPv6 with --ip-protocol. Can't have both in the same line.

Also, I suspect, you will find no support for L4 filtering in ebtables on openwrt. The highest I have got ebtables to work is L3 (network address).

If you need L4, then you are going to have to "mark" the packet at ebtables, then act on the packet at iptables. I have a write up on how to do this when running a brouter firewall.
https://github.com/cvmiller/v6brouter

HTH

Post #4
bolvan
10 Apr 2016, 17:40
cvmiller wrote:

It looks to me like you have conflicting protocols, specifying IPv4 with -p but also specifying IPv6 with --ip-protocol. Can't have both in the same line.

No, you're wrong. ip protocol does not mean IP version. Its protocol number. 6 = TCP

Post #5
cvmiller
11 Apr 2016, 05:03

bolvan, you are right.

However, I have seen the same error when asking ebtables to do L4 filtering (TCP is L4), it doesn't appear to be supported on OpenWRT. One has to use iptables to do L4 filtering.

Post #6
aldemirenes
11 Apr 2016, 17:17

Thank you for answer cvmiller, but I want to filter only http and https and other ports should not be intercepted in the bridge traffic. So, what I want to do is taking only port 80 and 443  connection in the bridge traffic and redirect them to the proxy. Are you sure OpenWRT does not support L4 filtering with ebtables ?

Post #7
cvmiller
11 Apr 2016, 17:47

I think I understand what you are trying to do, and it sounds reasonable. However, when I was attempting to get the brouter project going, I ran into similar errors until I removed the L4 in the filter. That is why I went with "mark" and let iptables do the L4 filtering.

However, this may not work for you, since you are not creating a firewall, but rather a selective proxy.

The easiest way to debug this is to start removing components of your ebtables filter, until you get no errors. Then you can determine which parts of the line are causing problems.

HTH

The discussion might have continued from here.