Re: [squid-users] Tproxy4+squid: ebtables wiki

Marko Kotar wrote:
> Thanks.
>
> "redirect
>
> The redirect target will change the MAC target address to that of the bridge device the frame arrived on. This target can only be used in the BROUTING chain of the broute table and the PREROUTING chain of the nat table. In the BROUTING chain, the MAC address of the bridge port is used as destination address, in the PREROUTING chain, the MAC address of the bridge is used.
>
> --redirect-target target
>
> Specifies the standard target. After doing the MAC redirect, the rule still has to give a standard target so ebtables knows what to do. The default target is ACCEPT. Making it CONTINUE could let you use multiple target extensions on the same frame. Making it DROP in the BROUTING chain will let the frames be routed. RETURN is also allowed. Note that using RETURN in a base chain is not allowed."
>
> I think: If accept is used it goes in the tproxy because dst mac is changed to bridge address. (So it goes up as it would if client had gateway configured to that machine?) But is also should drop work?
>
>
I decided to test it. I changed my rule to ACCEPT and traffic passes but
not through the proxy. My access.log shows no new traffic after
changing the rule. DROP is what passes the frame off to iptables.
Could you show all your rules? If squid is receiving the traffic the
only thing I can think of is that maybe there is another rule further
down the chain that cause the frame to be routed.

> I have tryed drop but it didn't work. I didn't get through any traffic.
> If i didn't use any of ebtable rules it went through.
> But accept works.
> --- On Wed, 10/28/09, Dan <dan_at_jisp.net> wrote:
>
>
>> From: Dan <dan_at_jisp.net>
>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>
>> Cc: squid-users_at_squid-cache.org
>> Date: Wednesday, October 28, 2009, 1:03 AM
>> Marko Kotar wrote:
>>
>>> Hi,
>>> You have incorrect commands in squid wiki for tproxy4
>>>
>> ebtables:
>>
>>> I figure out that it is not "--redirect-target DROP"
>>>
>> but it is "--redirect-target ACCEPT" .
>>
>>>
>>>
>> With ebtables using broute ACCEPT and DROP have special
>> meanings. DROP
>> means route the frame and ACCEPT means bridge the frame.
>>
>> http://ebtables.sourceforge.net/misc/ebtables-man.html
>>
>>
>>> There is a "-j REDIRECT" which should be in lowercase
>>>
>> letters "-j redirect".
>>
>>> Thanks for guide.
>>>
>>> Marko
>>>
>>>
>>>
>>>
>>>
>>>
>> Dan
>>
>>
>>
>
>
>
>
Received on Wed Oct 28 2009 - 20:21:38 MDT