I would like to communicate to a special IP address on a tiny linux device that has two Ethernet interfaces which are used on a bridge.
The bridge is set up like so:
# Delete bridge if it exists
ip link delete $BRIDGE_IF type bridge
# Prepare device-facing interface
ip link set dev $DEVICE_IF down
ip address flush dev $DEVICE_IF
ip address add 0.0.0.0 dev $DEVICE_IF
ip link set dev $DEVICE_IF up
# Prepare network-facing interface
ip link set dev $NETWORK_IF down
ip address flush dev $NETWORK_IF
ip address add 0.0.0.0 dev $NETWORK_IF
ip link set dev $NETWORK_IF up
# Create bridge and add interfances
ip link add name $BRIDGE_IF type bridge
ip link set dev $BRIDGE_IF up
ip link set dev $DEVICE_IF master $BRIDGE_IF
ip link set dev $NETWORK_IF master $BRIDGE_IF
# Add IPv4 address to bridge interface
ip -4 address add $BRIDGE_IPV4 dev $BRIDGE_IF
# Make sure forwarding is enabled.
sysctl -w net.ipv4.ip_forward=1
I have a transparent bridge, but I would like to communicate with $SPECIAL_IP from the device. It has no more Ethernet interfaces, and it needs to use the IP address of the device it's attached to (I can get that reliably with a socket read on $DEVICE_IF).
So, basically, I need to establish TCP/IP communication with an IP address that does not interfere with any other communication going over the bridge. I've tried countless iterations of iptables, ebtables, and setting up routes to no avail. And I don't think re-reading some online documentation for the umpteenth time will help (e.g., http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section7).
Edit: Added Diagram
Edit: Added Reasoning / Background
I need to add some functionality to many (think many thousands) of legacy Ethernet enabled devices which we cannot change (i.e., no software or firmware updates possible or allowed). The "Mini Linux Device" provides firewall functionality, but also needs to send and receive communication itself to provide all the added functionality. Many (about 65%) of the network on which the legacy devices reside cannot add enough new IP addresses (nor enough new MAC addresses for "reasons") to allow for all the legacy devices to have a "Mini Linux Device" added to them. This is because (1) more than 50% of the XXX.XXX.XXX.0/24 is used, and (2) many IP addresses and/or MAC addresses are "hard coded" in some upstream control systems. These "silly" network (IP and MAC) limitations are for legacy reasons (Think 1990's SCADA networks); therefore, I'm trying to make the "Mini Linux Device" that need only use the IP and MAC of the device it is augmenting. So I've created a bridge, and I can add iptables firewall, which makes us better than nothing, but in order to add the additional functionality the "Mini Linux Device" needs to be able to communicate itself.
NOTE 1: We can guarantee that the IP addresses ($SPECIAL_IP), which are more than one, are IP addresses that the legacy device will never, or should never, communicate with directly and they are mostly, though not exclusively, outside of the private address space.
NOTE 2: If there is a completely different way I could implement this, I'm all ears, though I would still love to know if this is possible.
Does anyone know how to do this?
