logging packets on a linux bridge

Question

I'm trying to log packets using a bridge created on an espressobin v5 SOC. I've set it up using the archlinux arm package. This board is built out of the box to provide inherent switching and routing capabilities. I think i've disabled all of these features as i don't need routing capabilities. I only need bridging capabilities with packet inspection.

The intent is to place this device upstream from a series of voip phones and use it to inspect packets to these phones and log them. The logged packets will serve as an indicator to a separate process (not in scope of this question) to indicate that the phones are ringing. These packets will stop being logged when someone answers the phone (the protocol changes from UDP to TCP thereby invalidating the logging rule).

ootb the Espressobin is setup with a bridge br0 that gets connected to lan0 lan1. I disabled dnsamasq and the default bridge br0.

In br0's place there is br1 that bridges lan0 lan1 and is set to a static ip address assigned by the router. I've installed ebtables and ran the following:

modprobe br_netfilter 
modprobe nf_conntrack

here's ifconfig

br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.1.216  netmask 255.255.255.0  broadcast 10.0.1.255
        inet6 fe80::a423:15ff:fe81:681a  prefixlen 64  scopeid 0x20<link>
        ether a6:23:15:81:68:1a  txqueuelen 1000  (Ethernet)
        RX packets 211400  bytes 21894506 (20.8 MiB)
        RX errors 0  dropped 696  overruns 0  frame 0
        TX packets 11036  bytes 485479 (474.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::f2ad:4eff:fe08:6070  prefixlen 64  scopeid 0x20<link>
        ether f0:ad:4e:08:60:70  txqueuelen 1000  (Ethernet)
        RX packets 279130  bytes 32859949 (31.3 MiB)
        RX errors 0  dropped 74  overruns 0  frame 0
        TX packets 2615  bytes 132663 (129.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::f2ad:4eff:fe08:6070  prefixlen 64  scopeid 0x20<link>
        ether f0:ad:4e:08:60:70  txqueuelen 1000  (Ethernet)
        RX packets 13767  bytes 1200675 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8539  bytes 361411 (352.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

here's my ebtables rule:

[root@alarm ipv4]# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 10.0.1.198 --log-level notice --log-prefix "nf_conn" --log-ip -j CONTINUE

here's the output of the rule:

[91201.408471] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=137 DPT=137
[91306.855593] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=138 DPT=138
[91306.869812] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=138 DPT=138

on 10.0.1.198 i a small nodejs server running that communicates over port 15000 the espressobin is placed in between my workstation and 10.0.1.198 like this:

router ---- workstation (10.0.1.X)
|_____espressobin (lan0) - (lan1) ---- nodejs server (10.0.1.198)

when i curl from the expressobin to 10.0.1.198 (http://10.0.1.198:15000) i can see the packets being logged.

when i curl from the workstation to 10.0.1.198 i don't see any logged packets. i was expecting to see the packets.

according to this documentation ebtables cant do full fledged IPv4, hence modprobe br_netfilter

My question is am i on the right path or am i on mission impossible?

If this is in part to this limitation of ebtables, what would be (if any) a possible method to achieve my objective of logging packets on the bridge.

score 1 · Accepted Answer · answered Jun 27 '19 at 20:34

1

The ESPRESSObin system uses an on-board ethernet switch chip, which is supported by Linux DSA (Distributed Switch Architecture). My understanding is that when you bridge 2 ethernet ports that are both connected to this switch chip, that all frames that are destined from one port to the other (and not to the SoC itself) will bypass the main SoC entirely and be handled by the switch chip. This is why tcpdump is not showing the traffic; it never actually touches the network card on the SoC.

answered Jun 27 '19 at 20:34

Joel C

166
6

That was my hunch, is there anyway to forward this traffic to the soc or am I blocked by this architecture? – j_unknown Jun 28 '19 at 08:43
What i don't get is iptables (presumably ebtables as well) functions as expected when this device is configured as a router. The default network configuration for this device is to run as a router with dnsmasq configured for DNS, a default bridge in ipv4 10.0.0.0/24. Additionally i am getting packets logged over tcp ip albeit netbios requests to the router. this links to the archlinux wiki: [espressobin archlinux](http://wiki.espressobin.net/tiki-index.php?page=Boot+from+removable+storage+-+ArchLinux) **see the bottom of the page for default network config** – j_unknown Jun 28 '19 at 19:03
The issue only shows up for traffic that is switched between 2 ports of the on-board switch. If the traffic is routed, then it is sent through the switch to the SoC, and then back out to the switch once it has been dealt with. This is why you will still see tcpdump output for data that is actually sourced or destined for the SoC itself. – Joel C Jun 28 '19 at 19:51
Thank you for clarifying. I appreciate the help – j_unknown Jun 29 '19 at 12:11
i ended up using a different solution to resolve this concern. This involved port mirroring instead of the bridge. – j_unknown Dec 10 '19 at 17:37

logging packets on a linux bridge

1 Answers1