Re: How to transfer a IP packet based on ebtables and iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Sumin Xia a écrit :
> According to my understanding, if I implement ebtables on my Linux  
> system, a frame should be passed through ebtables modules.

Ebtables sees only packets on interfaces that are part of a bridge.

> Then, if  
> ebtables modules find the destination mac address of the frame is the  
> local mac address, it will transfer the frame to layer-3, that is  
> iptables, right?

Iptables is normally called from the IP layer, and the layer 3 is the IP
layer if the packet is an IP packet. But if the kernel was built with
the option CONFIG_BRIDGE_NETFILTER enabled (which is the most common
AFAICS) and /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1
(the default), things are a bit more complicated : some iptables chains
are called from the bridge and interleaved with ebtables chains, and
won't be called from the IP layer. This is shown on the diagram in the
article about netfilter/iptables at Wikipedia. The purpose is to allow
to use iptables capabilities on purely bridged IP traffic.

> Now I want to do a test, which modifies the destination mac address of  
> a frame before sending it. Therefore, the frame will be forwarded to  
> another destination instead of the real destination, while its  
> destination ip address is still the real destination ip address. In  
> this case, when the frame arrive at pseudo destination machine, will  
> it be transfered to lay-3 of the system?


> If it is transfered to lay-3  
> of the system, the system will find the destination ip address is not  
> local ip address. What will happen next? Drop the packet? or send an  
> arp request to find the real destination mac address and forward it?

It depends whether the machine acts as a host or a router. If it acts as
a host, it will discard the packet. If it acts as a router, it will try
to forward the packet to the next hop (which may not be the final
destination) according to its routing table. It will send an ARP request
only if it is a necessary step in order to reach the next hop.
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux