262 lines
8.6 KiB
HTML
262 lines
8.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
|
|
<TITLE>Ethernet Bridge + netfilter Howto: Required software</TITLE>
|
|
<LINK HREF="Ethernet-Bridge-netfilter-HOWTO-3.html" REL=next>
|
|
<LINK HREF="Ethernet-Bridge-netfilter-HOWTO-1.html" REL=previous>
|
|
<LINK HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-3.html">Next</A>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-1.html">Previous</A>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s2">2.</A> <A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2">Required software</A></H2>
|
|
|
|
<P>This software setup is needed on the ethernet bridge computer. According to our
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-4.html#TESTING_Testing_grounds">Testing grounds</A>.</P>
|
|
|
|
<H2><A NAME="kernel-2.6"></A> <A NAME="ss2.1">2.1</A> <A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2.1">Featured Linux kernel </A>
|
|
</H2>
|
|
|
|
|
|
<P>Use of kernel 2.6 is not yet a good idea. Yes, it's astonishing. The why the
|
|
bridging code
|
|
breaks and where it does so has not yet come to my and others attention, I
|
|
cannot recommend kernels of the 2.6 series. You have the clou? Assure yourself
|
|
the credit, mail the solution to me (e-mail address at entry page).
|
|
See also
|
|
<A HREF="#kernel-notes">Kernel-Notes</A> for additional
|
|
information on this. So far, use kernel 2.4 series.<BR>
|
|
As of kernel version <EM>2.4.18</EM> there's already support for the Ethernet Bridge
|
|
capability built-in. No patches needed so far.
|
|
Regarding later kernel versions, it must be stated that <EM>2.4.23</EM> might be less recommendable, especially in conjunction with ebtables and netfilter-bridging. Later versions seem advisable.<BR>
|
|
The following paragraph is outdated now (2005-07-12) as all we need is present in kernel. You may skip this paragraph, it is only retained for legacy:<BR>
|
|
But if we intend to use netfilter capabilities, because we want to run iptables on our new Linux router/fw box, we still need to apply a patch.
|
|
Any patches needed can be found and downloaded on the
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-6.html#LINK_Bridge-home">sourceforge Ethernet Bridge homepage</A>.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> cd /usr/src/
|
|
root@bridge:~> wget -c http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.18.diff
|
|
root@bridge:~> cd /usr/src/linux/
|
|
root@bridge:~> patch -p1 -i ../bridge-nf/bridge-nf-0.0.7-against-2.4.18.diff
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>Supposedly we want netfilter support on our bridge interface and we have already
|
|
patched the vanillal kernel we may now activate some necessary kernel configuration
|
|
items. On how to build a private kernel image see the
|
|
<A HREF="http://www.think-future.de/DOCUMENTATION/CD-Net-Install-HOWTO/CD-Net-Install-HOWTO-4.html#Kernel_Configuration">CD-Net-Install-HOWTO, Toolbox</A>.
|
|
Oh, yeah, it's still in German only. Hm, I should fix this some time, but time lacks... Any volunteers? (deadly silence is cracking.. ;)</P>
|
|
<P>Nevertheless, we start by now:
|
|
In
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
Code maturity level options
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
we activate
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[*] Prompt for development and/or incomplete code/drivers
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
and in
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
Loadable module support
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[*] Enable loadable module support
|
|
[*] Set version information on all module symbols
|
|
[*] Kernel module loader
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Ok, so far so good.
|
|
Now, we go to
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
Networking options
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
and mark
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[*] Network packet filtering (replaces ipchains)
|
|
[ ] Network packet filtering debugging
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<A NAME="HINT_netfilter_debugging"></A>
|
|
<DL>
|
|
<DT><B>Note:</B><DD><P>Previously, the above debugging option had been selected. For now,
|
|
unless you want your <CODE>/var/log/</CODE>-partition being filled up in
|
|
short-time distance, deactivate this option. <BR>
|
|
If this options is activated, messages similar to the following appear
|
|
in counts of thousands in dmesg and <CODE>/var/log/{kern.log,debug,syslog,messages}</CODE>:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
skb: pf=2 (unowned) dev=br0 len=52
|
|
PROTO=6 156.136.32.121:3709 192.168.101.2:112 L=52 S=0x00 I=35470 F=0x4000 T=51
|
|
nf_hook: hook 1 already set.
|
|
skb: pf=2 (unowned) dev=br0 len=52
|
|
PROTO=6 156.136.32.121:3709 192.168.101.2:112 L=52 S=0x00 I=35470 F=0x4000 T=51
|
|
nf_hook: hook 0 already set.
|
|
skb: pf=2 (unowned) dev=br0 len=52
|
|
PROTO=6 192.168.101.11:2828 192.168.101.2:202 L=52 S=0x10 I=63 F=0x4000 T=64
|
|
nf_hook: hook 1 already set.
|
|
skb: pf=2 (unowned) dev=br0 len=52
|
|
PROTO=6 192.168.101.11:2828 192.168.101.2:202 L=52 S=0x10 I=63 F=0x4000 T=64
|
|
nf_hook: hook 3 already set.
|
|
skb: pf=7 (owned) dev=eth1 len=1500
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
</DL>
|
|
</P>
|
|
<P>Furthermore, in
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
IP: Netfilter Configuration --->
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
we mark any item we need as module.
|
|
Now the long awaited item: activate
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
<M> 802.1d Ethernet Bridging
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
as well as
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[*] netfilter (firewalling) support
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<DL>
|
|
<DT><B>Note:</B><DD><P>The above entry is available only if we successfully patched our kernel!</P>
|
|
</DL>
|
|
</P>
|
|
<P>Finally, we just need a successful
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> make dep clean bzImage modules modules_install
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
cycle and we're done.
|
|
Don't forget to edit <CODE>/etc/lilo.conf</CODE> and do
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> lilo -t
|
|
root@bridge:~> lilo
|
|
root@bridge:~> reboot
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
, though.</P>
|
|
<P>
|
|
<DL>
|
|
<DT><B>Hint:</B><DD><P>Perhaps we might mark our new kernel as the bridge kernel? We
|
|
<CODE>vi</CODE> the toplevel Makefile in our kernel sources and edit the head
|
|
line called <CODE>EXTRAVERSION =</CODE>.
|
|
We may actually set it to, say <EM>bridge</EM>? ;-) <BR>
|
|
After the <CODE>modules_install</CODE> we find the fresh modules in
|
|
<CODE>/lib/modules/2.4.18bridge</CODE><BR>
|
|
For debian users (eventually use <CODE>export PATCH_THE_KERNEL=YES</CODE>
|
|
before and --added_patches your_patches with make-kpkg):
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> make-kpkg --revision=tf.1.0 kernel_image
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
</DL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss2.2">2.2</A> <A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2.2">Userspace tool: <CODE>brctl</CODE></A>
|
|
</H2>
|
|
|
|
<P>Once our kernel has the capabilities needed to perform Ethernet Bridge and netfilter
|
|
actions, we prepare the user space tool <CODE>brctl</CODE>. <CODE>brctl</CODE> is the configuration
|
|
tool we use to
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-3.html#SETUP_Linux_brctl">set up</A> anything to suit our needs.</P>
|
|
<P>We
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-6.html#LINK_Bridge-home">download the source tarball</A>, unpack it and
|
|
change directory into it.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> wget -c http://bridge.sourceforge.net/bridge-utils/bridge-utils-0.9.5.tar.gz
|
|
root@bridge:~> tar xvzf bridge-utils-0.9.5.tar.gz
|
|
root@bridge:~> cd bridge-utils-0.9.5
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
At this time, read the <CODE>README</CODE> and the files in the <CODE>doc/</CODE> subdirectory.
|
|
Then do a simple make and copy the resulting <CODE>brctl/brctl</CODE> executable to
|
|
<CODE>/sbin/</CODE>.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
root@bridge:~> make
|
|
root@bridge:~> cp -vi brctl/brctl /sbin/
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This is it. Go for
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-3.html#SETUP_Linux_brctl">Setup</A> now.</P>
|
|
|
|
<H2><A NAME="kernel-notes"></A> <A NAME="ss2.3">2.3</A> <A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2.3">Kernel-Notes </A>
|
|
</H2>
|
|
|
|
<P>Symptom: Anything during setup works but packets do no longer traverse as they did in 2.4 the bridge interfaces.<BR>
|
|
ipuk s (qasuari_ @ _yahoo.com) wrote (about june 2005):
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[...]
|
|
I have to compile my kernel from 2.4.18-14 to 2.6.0 and activate
|
|
bridge-netfilter&ebtables.
|
|
After compiling, i can't ping from a host to interface of linux box.
|
|
Linux box just have 1 interface.whats wrong with my compilation ???
|
|
[...]
|
|
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<HR>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-3.html">Next</A>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO-1.html">Previous</A>
|
|
<A HREF="Ethernet-Bridge-netfilter-HOWTO.html#toc2">Contents</A>
|
|
</BODY>
|
|
</HTML>
|