情况
(host A)-------(bridge B)------(host C)
在哪里:
MAC A它的界面上有MAC CC的接口上有- B 有
MAC BA两个MAC BC接口(取决于它面向谁) - B 是
MAC BB它的桥梁
桥接器将两个接口连接在一起,并且ebtables并使用iptables进行过滤。
如果我设置唯一的 ebtables 规则以将所有包含 IPv4 的帧重定向到 L3 过滤:
ebtables -t broute -A BROUTING -p IPV4 -i eth1 -j redirect --redirect-target DROP
MAC BA然后,如果我从 A 向 C 发送一个包含 IPv4 的帧,当我相信文档中所述,当我启动 L3 过滤时,我应该得到目标 MAC 地址作为桥接接口 () 的一个 MAC 地址。
redirect
The redirect target will change the MAC target address to that of the bridge device the frame arrived on. This target can only be used in the
BROUTING chain of the broute table and the PREROUTING chain of the nat table. In the BROUTING chain, the MAC address of the bridge port is
used as destination address, in the PREROUTING chain, the MAC address of the bridge is used.
--redirect-target target
Specifies the standard target. After doing the MAC redirect, the rule still has to give a standard target so ebtables knows what to do.
The default target is ACCEPT. Making it CONTINUE could let you use multiple target extensions on the same frame. Making it DROP in the
BROUTING chain will let the frames be routed. RETURN is also allowed. Note that using RETURN in a base chain is not allowed.
观察
当我设置 iptables 来记录传入的数据包时:
iptables -t raw -A PREROUTING -j LOG --log-prefix "ip_raw_prerouting: " --log-level debug
我可以看到 iptables 获得的帧具有MAC BA作为源和MAC A作为目标,而不是我预期的(MAC A作为 — 未改变 — 源和MAC BA作为新目标)
日志信息
MAC A=08:00:27:17:49:6dMAC C=08:00:27:d5:24:36MAC BA=08:00:27:d8:32:61
在桥上:
kern.log
Aug 19 17:51:05 spy kernel: [20963.557665] br_br IN=eth1 OUT= MAC source = 08:00:27:17:49:6d MAC dest = 08:00:27:d5:24:36 proto = 0x0800
Aug 19 17:51:05 spy kernel: [20963.557701] ip_raw_pre: IN=eth1 OUT= MAC=08:00:27:d8:32:61:08:00:27:17:49:6d:08:00 SRC=192.168.142.254 DST=192.168.142.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55401 DF PROTO=TCP SPT=46721 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether 08:00:27:df:b7:98 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether 08:00:27:d8:32:61 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 08:00:27:d8:32:61 brd ff:ff:ff:ff:ff:ff
问题
知道那是什么吗?欢迎提供任何其他信息!
其他标签(我在这里没有足够的代表):ebtables,netfilter,brouter
答案1
这其实都是正常的。
在日志中,MAC=08:00:27:d8:32:61:08:00:27:17:49:6d:08:00 实际上是 destMAC:sourceMAC:proto