Use of ebtables

Http://blog.163.com/dyc_888@126/blog/static/10044335120111255249503/

Http://blog.chinaunix.net/uid-10694051-id-2935976.html

I. Introduction to ebtables
Similar to iptables, ebtables is a configuration tool for network packet filtering in Linux. Since it is called a configuration tool, that is, the filtering function is supported by the kernel underlying layer, these two tools are only responsible for formulating the filtering rules.

Ebtables is the Ethernet bridge firewall. The Ethernet bridge works on the data link layer, and ebtables filters data link layer packets. The 2.6 kernel has an ebtables built in, and to use it, you must first install the ebtables user space tool (ebtables-v2.0.8-2). After installation, you can use ebtables to filter bridge packets.

Ii. ebtables Configuration
The configuration of ebtables is divided into three levels: Table, chain, and rule.
1. Table
The table is built-in and fixed. There are three types of tables: filter, Nat, and broute, which are specified using the-T option. Filter is the most commonly used one. Therefore, if-T is not set, this table is used by default. Nat is used for address translation, and broute is used for Ethernet bridges.
2. Chain
There are two types of links: built-in and custom. Different tables have different built-in links, which can be seen from the data packet flowchart. The custom chain is also attached to the corresponding built-in chain. Use-J to redirect it to the new chain.
3. Rules
Each chain has a series of rules, and each rule defines some filtering options. Each data packet matches these items. Once successful, the corresponding action is performed.

The so-called action is the act of filtering. There are four types: Accept, drop, return, and continue. Accept and drop are commonly used,

The rules for using ebtables are as follows:

Ebtables [-T table]-[Adi] chain rule-specification [Match-extensions] [Watcher-extensions]

-T table: generally forward chain.

-Adi: A is added to the end of the existing chain. D. Delete the rule chain (Rule Chain number must be specified). I. Insert a new rule chain (Rule Chain number must be specified ).

-P: Set the default rules of the rule table. Different tables have different rules.

-F: clears the rule chain of all rule tables.

-L: Specifies the rule table. Add parameter, -- LC, -- ln

-P: indicates the protocol type used. It is optional for IPv4 and ARP (required for use). For details, see/etc/ethertypes.

-- IP-Proto: indicates the type of the IP packet. 1 indicates an ICMP packet, 6 indicates a TCP packet, and 17 indicates a UDP packet. For details, see/etc/protocols.

-- IP-Src: IP package Source Address

-- IP-DST: IP package Destination Address

-- IP-sport: source port of the IP package

-- IP-dport: Destination Port of the IP package

-I: indicates that the network card enters

-O: Specify the NIC to be removed from.
3: instance
This instance is from the official website of ebtables. This instance uses ebtables and TC to control user traffic.
In practical applications, this scenario is common.
Control the traffic of different network bandwidth users based on the MAC address.

Bridge configuration

------------- Ifcfg-br0 ------------- device = br0onboot = nobootproto = staticipaddr = 192.168.111.11netmask = 255.255.255.0 ----------- bridge_up.sh --------------------#! /Bin/bashifdown eth0ifdown eth1 // disable eth0 and eth1.ifconfig eth0 0.0.0.0 upifconfig eth1 0.0.0.0 up // enable eth0 and eth1, but no valid IP address is assigned. No IP address. Brctl addbr br0 // use the brctl command to create the bridge br0brctl addif br0 et0brctl addif br0 eth1 // Add the network interface to the bridge br0ifconfig br0 up ----------- bridge_down.sh --------------------#! /Bin/bash ifdown eth0ifdown eth1ifconfig br0 downbrctl delbr br0

The rate shaping part

We're re usingtc to do the deed. This is my first attempt at this, so I may be doing some things wrong,
Especially withTCCommands-but it works-so I figure, I'll fix it later. You can useebtables
-L --LcTo see your customer's usage. I dump this out hourly, adding-ZOption to zero the counters out, then have a Perl script parse that output and dump it into a MySQL table where I can make better use of it.

--------------------------- Rateshape -----------------------#! /Bin/bash # All rates are in kbits, so in order to gets bytes divide by 8 # e.g. 25 kbps = 3.125kb/s # Tc =/sbin/tcebtables =/sbin/ebtables # location of ebtables CD/usr/local/Bridge tc_start () {$ TC qdisc add Dev eth0 root handle 1:0 CBQ bandwidth 100 Mbit avpkt 1000 MPU 64 $ TC qdisc add Dev eth1 root handle 1:0 CBQ bandwidth 100 Mbit avpkt 1000 MPU 64
In TC, a handle like "Major: Minor" is used to identify the queue and category. both major and minor are numbers. For a queue, minor is always 0, that is, in the form of "Major: 0". It can also be abbreviated as "Major: for example, queue 1:0 can be abbreviated as 1 :. It must be noted that major must be unique among all queues of a nic. For a category, its major must be the same as its parent category or the major of its parent queue, minor must be unique within a queue (because the category must be included in a queue ). For example, if queue 2 contains two classes, the handles of these two classes must be in the form of 2: X, and their X cannot be the same, such as and. Here, "add" indicates that you want to add, "Dev eth0 indicates that the NIC to be operated is eth0. "Root indicates that eth0 is added as a root queue for the NIC. "Handle 1: indicates that the queue handle is 1 :. "CBQIndicates that the queue to be added is a CBQ queue.
# Customer A # two Macs: 00: 0d: BD: A4: E1: C8 and 00: 20: 78: B0: 25: 7D #256 kbps download speed $ {TC} class add Dev eth0 parent 1:0 classid 1:1 CBQ rate 256 kbit allot 1514 PRIO 1 avpkt 1000 bounded $ {TC} filter add Dev eth0 parent 1:0 Protocol IP handle 1 FW flowid 1:1 $ {ebtables}-a forward-D 00: 0d: BD: A4: E1: C8-J mark -- Set-mark 1 -- Mark-target accept $ {ebtables}-a forward-D 00: 20: 78: B0: 25: 7d-J mark -- Set-Ma Rk 1 -- Mark-target accept #128 Kbps upload speed $ {TC} class add Dev eth1 parent 1:0 classid 1:1 CBQ rate 128 kbit allot 1514 PRIO 1 avpkt 1000 bounded $ {TC} Filter add Dev eth1 parent 1:0 Protocol IP handle 1 FW flowid 1:1 $ {ebtables}-a forward-s 00: 0d: BD: A4: E1: C8-J mark -- Set-mark 1 -- Mark-target accept $ {ebtables}-a forward-s 00: 20: 78: B0: 25: 7d-J mark -- Set-mark 1 -- Mark-target accept # Customer B # MAC address: 00: 0d: BD: A4: D6: 54 #800 kbps download speed $ {TC} class add Dev eth0 parent 1:0 classid CBQ rate 800 kbit allot 1514 PRIO 1 avpkt 1000 bounded $ {TC} filter add Dev eth0 parent 1:0 Protocol IP handle 2 FW flowid :1:2 {ebtables}-a forward-D 00: 0d: BD: A4: D6: 54-J mark -- Set-mark 2 -- Mark-target accept #64 Kbps upload speed $ {TC} class add Dev eth1 parent 1:0 classid CBQ rate 64 kbit allot 1514 PRIO 1 avpkt 1000 bounded $ {TC} filter add Dev eth1 parent 1:0 Protocol IP handle 2 FW flowid $ {ebtables}-a forward-s 00: 0d: BD: A4: d6: 54-J mark -- Set-mark 2 -- Mark-target accept # customer C # MAC address: 00: 0a: 5E: 22: D1: A3 # Do not rate shape! $ {Ebtables}-a forward-s 00: 0a: 5E: 22: D1: a3-J accept $ {ebtables}-a forward-D 00: 0a: 5E: 22: d1: a3-J accept # block anything we didn't specify above. $ {ebtables}-a forward-J Drop -- log # <my config has over 500 MERs and over 1100 MAC addresses> # Just keep incrementing the classid, handle, flowid, and Mark values for each customer's # individual speed queues .} tc_stop (){. /save_and_reset_counters $ {e Btables}-f // The rule defined in ebtables will be deleted $ TC qdisc del Dev eth0 root $ TC qdisc del Dev eth1 root // Delete the queue defined on eth0 and eth1} tc_restart () {tc_stop sleep 1 tc_start} tc_show () {// view the queues, classes, and filters defined in eth0 and eth1 respectively. Echo "" Echo "eth0" $ TC qdisc show Dev eth0 $ TC class show Dev eth0 $ TC filter show Dev eth0 echo "" Echo "eth1" $ TC qdisc show Dev eth1 $ TC class show Dev eth1
    $TC filter show dev eth1
} // The following is the case statement of the shell script.
case "$1" in   start)     echo -n "Starting bandwidth shaping: "    tc_start    echo "done"    ;;   stop)     echo -n "Stopping bandwidth shaping: "    tc_stop    echo "done"    ;;   restart)     echo -n "Restarting bandwidth shaping: "    tc_restart    echo "done"    ;;   show)     tc_show    ;;   *)     echo "Usage: rateshape {start|stop|restart|show}"    ;; esac