1

I'm currently setting up an Ubuntu 12.04 with 2 net interfaces. eth0 is on LAN_USERS (192.168.5.0/24) intended for user and eth1 is on LAN_INFRA (10.0.4.0) intended for management. Additionally, I've setup a bridge on eth1.

cat /etc/network/interfaces:

auto eth0
iface eth0 inet static
  address 192.168.5.180
  netmask 255.255.255.0
  network 192.168.5.0
  broadcast 192.168.5.255
  gateway 192.168.5.1

auto eth1
iface eth1 inet manual

auto br1
iface br1 inet static
  address 10.0.4.5
  netmask 255.255.255.0
  network 10.0.4.0
  broadcast 10.0.4.255
  gateway 10.0.4.1
  bridge_ports eth1
  bridge_stp on
  bridge_fd 0
  bridge_waitport 0
  1. As of Ubuntu 12.04, reverse path filtering is enabled (rp_filter=1)
  2. The output of # route -n is: 
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    100    0        0 eth0
10.0.4.0        0.0.0.0         255.255.255.0   U     0      0        0 br1   
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Because of reverse path filtering, br1 isn't visible to networks other than 10.0.4.0. I could disable reverse path filtering, but I decided to setup policy based routing.

Policy based Routing

  1. echo "250 infra >> /etc/iproute2/rt_tables
  2. ip rule add iif br1 table infra
  3. ip route add to default dev br1 table infra
  4. Kernel conf vars: CONFIG_IP_ADVANCED_ROUTER=y and CONFIG_IP_MULTIPLE_TABLES=y
  5. net.ipv4.ip_forward = 0
  6. net.ipv4.conf.eth1.rp_filter = 1
  7. net.ipv4.conf.br1.rp_filter = 1
  8. net.ipv4.conf.all.log_martians = 1

And it's not working....

How can i debug my PBR rules? Any obvious mistakes with my setup?

Cheers

UPDATE: What I need is to route answers to packets coming from br1 back out via br1 again and not eth0. My simplest use case is: pings from 192.168.5.10 to 10.0.4.5 do not return cause of the default route and rp_filter=1. They are dropped as martian packets.

Vassilis
  • 131
  • 1
  • 6
  • What kind of use case is pinging an interface you are not allowed to connect to anyway (management network)? Is this system going to be the router for these subnets? Are eth0 and eth1 connected to the same ethernet segment? You should describe (ASCII art) your network structure and the connections which shall be possible. – Hauke Laging Apr 29 '13 at 14:03
  • Bridges do not route packets, routers route packets; bridges bridge frames. Also, bridges do not send frames out the same interface where they entered the bridge. – Ron Maupin Mar 30 '20 at 01:05

1 Answers1

0

Your configuration says: "If a packet has arrived on br1 then send it via br1." That obviously doesn't make sense. Rules like that are for routers but you don't even mention routing.

What you mean is: "Send packets which are a reply to packets which have arrived on br1 via br1." This could be done with Netfilter's packet marks and the ip rule option fwmark. But here this would not make sense. Because you use rp_filter you can simply route by target address. You don't even need advanced routing (ip rule). For that. Plain normal routing should do the job: "Send 10.0.4.0/24 via br1, the rest via eth0."

You have explained what you have done but have not mentioned any task that would require a complicated setup. If you "don't do anything" special what goes wrong then?

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40