[LiSA-Users] [RE] Linux Multilayer Switch support netfilter ?

Radu Rendec radu.rendec at ines.ro
Wed Aug 9 11:55:58 EEST 2006 

Hi,

What you've got there is normal behaviour, because you inserted the rule
in the FORWARD chain and that chain applies to packets forwarded at OSI
Layer 3 (routed packets).

With your network configuration packets will only be forwarded at Layer
2 (switched) between eth0, eth1 and vlan1.

You can get pretty good diagrams about netfilter packet flow here:
http://www.csh.rit.edu/~mattw/proj/nf/

Your ping requests however go through the OUTPUT chain before reaching
vlan1 output queue. Ping replies from host A in your diagram go through
the INPUT chain after they are received by vlan1 and before they reach
upper layers processing.

You can get packets to pass through the FORWARD chain if you assign eth1
a different vlan (let's say 2) and do routing between vlan1 and vlan2.
But I think this would make no sense at all with only two physical
interfaces - you could assign the ip addresses directly to the physical
interfaces and forget about LiSA.

Regards,

Radu Rendec


On Wed, 2006-08-09 at 10:43 +0900, jwpark wrote:
> Hi. 
> 
> Thanks for your reply.
> 
>  
> 
> 1. My test environment..
> 
>  
> 
> <host A> ---- (eth0) <linux box(LiSA is installed)> (eth1) ---
> <Gateway>  -- external
> 
>  
> 
> Kernel : 2.6.16.19
> 
> LiSA : lisa-2006.04.04-2
> 
>  
> 
> 2. And my VLAN configuration
> 
> [root at flight ~]# cat /proc/net/switch/vif 
> 
> vlan1
> 
>  
> 
> [root at flight ~]# cat /proc/net/switch/ifaces 
> 
> Port  Trunk  Enabled  VLAN
> 
> ----  -----  -------  ----
> 
> eth1      0        1  1   
> 
> eth0      0        1  1
> 
>  
> 
> [root at flight ~]# cat /proc/net/switch/vlan 
> 
> VLAN Name                             Status    Ports
> 
> ---- -------------------------------- ---------
> -------------------------------
> 
> 1    default                          active    eth1 eth0 
> 
> 1002 fddi-default                     active    
> 
> 1003 trcrf-default                    active    
> 
> 1004 fddinet-default                  active    
> 
> 1005 trbrf-default                    active    
> 
>  
> 
> [root at flight ~]# ifconfig vlan1
> 
> vlan1     Link encap:Ethernet  HWaddr 00:6C:6D:73:00:01  
> 
>           inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx
> Mask:255.255.255.0
> 
>           UP BROADCAST RUNNING MULTICAST  MTU:1460  Metric:1
> 
>           RX packets:213666 errors:0 dropped:0 overruns:0 frame:0
> 
>           TX packets:92644 errors:0 dropped:0 overruns:0 carrier:0
> 
>           collisions:0 txqueuelen:1000 
> 
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> 
>  
> 
> 3. netfilter rule
> 
> [root at flight ~]# iptables -L -nv
> 
> Chain INPUT (policy ACCEPT 1528K packets, 188M bytes)
> 
>  pkts bytes target     prot opt in     out     source
> destination 
> 
>  
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> 
>  pkts bytes target     prot opt in     out     source
> destination 
> 
>     0     0 DROP       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0   
> 
>  
> 
> Chain OUTPUT (policy ACCEPT 427K packets, 67M bytes)
> 
>  pkts bytes target     prot opt in     out     source
>           destination 
> 
>  
> 
>  
> 
> 
>  
> 
> When I executed ping to external host in <host A>, I received the
> reply.
> 
> But I inserted policy to drop the icmp.
> 
> And the packets/bytes count(FORWARD chain and the drop rule) did not
> increased.
> 
>  
> 
> Regards,
> 
>  
> 
>  
> 
>  
> 
> 
> _______________________________________________
> LiSA-Users mailing list
> LiSA-Users at lisa.ines.ro
> http://lisa.ines.ro/mailman/listinfo/lisa-users

More information about the LiSA-Users mailing list