Re: [Ebtables-devel] --arpreply-mac AUTO and Mac Masquerading
Brought to you by:
bdschuym
Menu
▾
▴
Re: [Ebtables-devel] --arpreply-mac AUTO and Mac Masquerading
|
From: Bart De S. <bds...@pa...> - 2006-04-08 09:07:15
|
Op za, 08-04-2006 te 06:14 +0200, schreef os...@ki...: > Since we want IP traffic to also be mac masqueraded we need 2 more things > on the bridge. First we need to setup the bridge to send out arpreplies > for the preconfigures macs. And second, we need to snat all the traffic > from the customers with their preconfigured mac. This i solved by marking > the packets in iptables mangle prerouting and the matching in ebtables > postrouting. Sorry, I don't quite see why you need to snat their traffic... > So in conclusion, the only thing that needs to be done for this whole > thing to work. That's to make the --arpreply-mac AUTO check in the bridge > fdb for an entry. Read about some timer issues in the old thread. But is > that really necessary. Doesn't the bridge fdb take care of all that? I was probably thinking that the arp entries would be cached by the arpreply target. That way you don't need the arp code. But you can add a new entry into the arp cache without having to actually redirect the packet (something like that would then best be put in a watcher module, so the user can decide which arp packets can be used to fill the arp cache). Of course, probably someone somewhere will need this --arpreply-mac-auto option but without it filling the arp cache... How about something like this for your setup: The bridge replies to all (or some) arp requests from the customers by telling them the corresponding mac address is the bridge's mac address. So, all customers will send their packets with the bridge's mac as destination. Then just use iptables masquerading on the bridge. See the example setup discussed in http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html Of course, the drawback is that you need to assign the bridge an ip address. cheers, Bart |
