iptables\/ebtables interaction on a Linux-based bridge

The 2.6 kernel contains the ebtables and br-nf code. The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets.

General frame traversal scheme:

Ethernet bridging hooks(or you can say chain)

There are six hooks defined in the Linux bridging code, of which the BROUTING hook was added for ebtables.

Traversal process of Bridging tables (ebtables) view

Incoming frame's chain traversal

Forwarded frame's chain traversal


Outgoing frames' chain traversal


A machine used as a bridge and a router

(not a brouter)

First it need IP code hooks

iptables (for routing) traversal process

Bridge/router routes packet to a bridge interface (simplistic view)

Bridge/router routes packet to a non-bridge interface (simplistic view)

Brouter

When an NIC enslaved to a bridge receives a frame, the frame will first go through the BROUTING chain. In this special chain you can choose whether to route or bridge frames, enabling you to make a brouter. The definitions found on the Internet for what a brouter actually is differ a bit. The next definition describes the brouting ability using the BROUTING chain quite well: A brouter is a device that bridges some frames/packets (i.e. forwards based on Link layer information) and routes other frames/packets (i.e. forwards based on Network layer information). The bridge/route decision is based on configuration information. A brouter can be used, for example, to act as a normal router for IP traffic between 2 networks, while bridging specific traffic (NetBEUI, ARP, whatever) between those networks. The IP routing table does not use the bridge logical device, instead the box has IP addresses assigned to the physical network devices that also happen to be bridge ports (bridge enslaved NICs). The default decision in the BROUTING chain is bridging.

Chain traversal for bridged IP packets: