# Routing and bridges

## ZeuZ_NG

Hey all, I was under the impression my rules don't match any packet from my bridged network.

My setup is:

[UPLINK] <-> br0 (has a public IP attached) <-> host1(has it's own public IP)

                                                                <-> host2(has it's own public IP)

Right now, the network is going on great.

The reason it's bridged it's because those are KVM guests, so I bridged the uplink to br0.

Enough of that, the real problem starts here:

Previously, I'd manage traffic with htb-gen, or htb-init.

Same I would apply rules to, say, eth0 if I would like to stop more than certain connections from happening.

But, seems like iptables doesn't match the rules to the bridged connections?

Someone told me it's designed to be that way and that I should use ebtables, is this correct?

Just as a side note, I would also require this to match connections to the hosts and then move them to the tcng queue?

----------

## Hu

You can use iptables with a bridged setup, though the rules must be written differently than they would be if you used it with a NAT setup.  Please specify exactly what you want to do with iptables.

----------

## ZeuZ_NG

The idea is provide protection for some kinds of flooding, basic things like not allowing more than 10 concurrent connections from a given IP address.

I've was allready able to achieve this through ebtables using --logical-if pointing at br0 and --ip-dst poiting to the KVM guest IP on the FORWARD table.

However, now I'm facing the issue to mark that traffic so I can redirect it to tc, so I can shape it (ingress and egress rate).

Would it even work if I match the traffic on the forward chain? Doing so in the INPUT shielded no result, PREROUTING either, so I'm about to try the later.

----------

## ZeuZ_NG

UPDATE: This is what I tested, not working: 

```

tc qdisc add dev br0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 mpu 64

tc class add dev br0 parent 1:0 classid 1:1 cbq rate 256Kbit allot 1514 prio 1 avpkt 1000 bounded

tc filter add dev br0 parent 1:0 protocol ip handle 1 fw flowid 1:1

ebtables -A FORWARD --logical-in br0 -p ipv4 --ip-dst 190.210.31.163 -j mark --set-mark 1 --mark-target ACCEPT

```

Come to think about it, that wouldn't be trying to shape the upload instead of the download?

yet changing --ip-dst for --ip-src won't work either.

----------

## ZeuZ_NG

Ok, so marks with ebtable weren't working correctly.

Through iptables on the FORWARD chain, I managed to mark them successfully.

However, now the rest of the deal (traffic shaping), I don't know how to achieve.

I've tried this:

```

tc qdisc add dev br0 root handle 1 cbq bandwidth 100Mbit avpkt 1000 mpu 64

tc class add dev br0 parent 1 classid 1 cbq rate 256KBit allot 1514 prio 1 avpkt 1000 bounded

```

However, I can't follow since reaching this place allready shields:

```
RTNETLINK answers: Invalid argument
```

I would then need the filter line (following and modifying the example of: http://ebtables.sourceforge.net/examples/real.html#example5), but since this one ain't done, can't move on.

----------

## Hu

If I recall correctly, traffic shaping rules must be placed on the individual interface (eth0, eth1, etc.), even when bridging.  Special rules may apply when bonding, but for simple bridging, you should write your rules the same way you would if you were routing the traffic.

----------

## ZeuZ_NG

 *Hu wrote:*   

> If I recall correctly, traffic shaping rules must be placed on the individual interface (eth0, eth1, etc.), even when bridging.  Special rules may apply when bonding, but for simple bridging, you should write your rules the same way you would if you were routing the traffic.

 

I did try it, but didn't work.

That's the first step I took, trying to use htb-gen using the real interface, but it, well, didn't work.

So I'm kind of looking at hashlimit right now, looks like it could "work".

The main idea was rate-limit the incoming and outgoing connections.

----------

