On Thu, Oct 12, 2006 at 01:41:49AM +0100, Stuart Henderson wrote:
> On 2006/10/12 01:15, ropers wrote:
> > Neither do I understand what really goes on during IP forwarding as
> > opposed to bridging
>
> with forwarding(routing) tcp/ip packets have a destination IP address
> which isn't bound to an interface on the router but the MAC address _is_
> the address of the routers (destination address is not ARP'd for because
> the previous router knows it's not a directly-connected destination).
>
> with bridging, the MAC address is of the final destination, and is
> learned by the previous router by ARPing for it (ethernet broadcasts
> cross the bridge unaltered).
>
> see "tcpdump -e"
Stuart,
I read and reread the previous paragraph but I am not able to
understand it.
Let me try to express my understanding. Please point out the holes in
that( I am sure there are many).
I am especially confused since you have mentioned "forwarding(routing)".
Routing protocols have two phases or components called building the
routing table and actual forwarding of IP packets. It is the building of
routing tables that happen over TCP(BGP),UDP(RIP) or IP(OSPF). This happens
independently or real packet forwarding which is the primary job of a router.
Now, once an IP packet arrives thro' an interface of a router, its
destination IP address is looked up in the routing table, its TTL value checked
and decremented, its IP checksum recomputed since we modified the TTL,
and then finally(and most importantly), the destination MAC address of
the packet modified to match the longest prefix match of the routing table
lookup.
Thus, if you see actually it is the destination MAC address stored in
the ethernet header that is actually modified at every hop of the router. The
IP header is largely untouched.
Am I making sense or talking rubbish?
Now, briding is actually the job of a layer 2 device like a switch/hub
and mostly happens in hardware since it is a dumb function.
What OpenBSD hopes to achieve thro' providing briding in software is to
do that same job intelligently. The man page clearly says that. If you add pf
to briding then voila!, you have a marvellous way to filter packets
transparently without actually modifying the routing topology of the network.
And since pf can do much much more than mere filtering, the convenience
of not modifying your routing topology is a marvellous gift to sysadmins...
>
> > or, for that matter, why I needed to enable
> > net.inet.ip.forwarding=1 in /etc/sysctl.conf for the bridge to work.
>
> I'm not sure you do, but I think you need it for PF. If it was a
> bit more sensible time of day I'd double-check (-:
I guess this is more of a security measure. Since bridging
involves lower layer handling, the user has to explicitly state his intent.
I find no confusion here.
You need to do the same if you are using IPsec as well.
Best,
Girish
