I'm trying to log packets using a bridge created on an espressobin v5 SOC. I've set it up using the archlinux arm package. This board is built out of the box to provide inherent switching and routing capabilities. I think i've disabled all of these features as i don't need routing capabilities. I only need bridging capabilities with packet inspection.
The intent is to place this device upstream from a series of voip phones and use it to inspect packets to these phones and log them. The logged packets will serve as an indicator to a separate process (not in scope of this question) to indicate that the phones are ringing. These packets will stop being logged when someone answers the phone (the protocol changes from UDP to TCP thereby invalidating the logging rule).
ootb the Espressobin is setup with a bridge br0 that gets connected to lan0 lan1. I disabled dnsamasq and the default bridge br0.
In br0's place there is br1 that bridges lan0 lan1 and is set to a static ip address assigned by the router. I've installed ebtables and ran the following:
modprobe br_netfilter
modprobe nf_conntrack
here's ifconfig
br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.216 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fe80::a423:15ff:fe81:681a prefixlen 64 scopeid 0x20<link>
ether a6:23:15:81:68:1a txqueuelen 1000 (Ethernet)
RX packets 211400 bytes 21894506 (20.8 MiB)
RX errors 0 dropped 696 overruns 0 frame 0
TX packets 11036 bytes 485479 (474.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f2ad:4eff:fe08:6070 prefixlen 64 scopeid 0x20<link>
ether f0:ad:4e:08:60:70 txqueuelen 1000 (Ethernet)
RX packets 279130 bytes 32859949 (31.3 MiB)
RX errors 0 dropped 74 overruns 0 frame 0
TX packets 2615 bytes 132663 (129.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f2ad:4eff:fe08:6070 prefixlen 64 scopeid 0x20<link>
ether f0:ad:4e:08:60:70 txqueuelen 1000 (Ethernet)
RX packets 13767 bytes 1200675 (1.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8539 bytes 361411 (352.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
here's my ebtables rule:
[root@alarm ipv4]# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 10.0.1.198 --log-level notice --log-prefix "nf_conn" --log-ip -j CONTINUE
here's the output of the rule:
[91201.408471] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=137 DPT=137
[91306.855593] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=138 DPT=138
[91306.869812] nf_conn IN=lan1 OUT= MAC source = b8:27:eb:87:49:d4 MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0800 IP SRC=10.0.1.198 IP DST=10.0.1.255, IP tos=0x00, IP proto=17 SPT=138 DPT=138
on 10.0.1.198 i a small nodejs server running that communicates over port 15000 the espressobin is placed in between my workstation and 10.0.1.198 like this:
router ---- workstation (10.0.1.X)
|_____espressobin (lan0) - (lan1) ---- nodejs server (10.0.1.198)
when i curl from the expressobin to 10.0.1.198 (http://10.0.1.198:15000) i can see the packets being logged.
when i curl from the workstation to 10.0.1.198 i don't see any logged packets. i was expecting to see the packets.
according to this documentation ebtables cant do full fledged IPv4, hence modprobe br_netfilter
My question is am i on the right path or am i on mission impossible?
If this is in part to this limitation of ebtables, what would be (if any) a possible method to achieve my objective of logging packets on the bridge.
