Inline on a Linux Bridge

    Linux packages required:

    • bridge-utils
    • ebtables

    In our example of setting up bridge mode we will use a local address of 192.168.1.11/24 and interfaces and eth1 as the bridge interfaces (more detailed documentation is available here). You may omit the ‘#’ character and everything after it.

    If you have not already done so, remember to add a default route, such as this one for a gateway of 192.168.1.1.

    1. ip route add default via 192.168.1.1

    At this point it is a good idea to test connectivity to verify the basic bridge is functional.

    Once the bridge is verified to work, this is the basic traffic pattern of interest.

    Picture of traffic flow through a bridge with ATS

    In this example we will intercept port 80 (HTTP) traffic. We will use the BROUTING chain because it is traversed only for packets that originated externally and arrived on a (forwarding enabled) interface. Although it looks like this will intercept all port 80 traffic it will only affect the two flows described above. -j redirect marks the packet as being diverted to the bridge and not forwarded, and the DROP target puts the packets in the normal iptables routing so that we can use standard device tests on them . Although this example handles only port 80, other ports are the same except for the port value. Note also the port here is the port from the point of view of the clients and origin servers, not the Traffic Server server port.

    1. ebtables -t broute -F # Flush the table
    2. # inbound traffic
    3.   -j redirect --redirect-target DROP
    4. # returning outbound traffic
    5. ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \

    Traffic Server operates at layer 3 so we need to use iptables to handle IP packets appropriately.:

    At this point the directionality of the interfaces matters. For the example eth1 is the inbound (client side) interface, while eth0 is the outbound (origin server side) interface. We mark both flows of packets so that we can use policy routing on them. For inbound packets we need to use TPROXY to force acceptance of packets to foreign IP addresses. For returning outbound packets there will be a socket open bound to the foreign address, we need only force it to be delivered locally. The value for --on-ip is 0 because the target port is listening and not bound to a specific address. The value for --on-port must match the Traffic Server server port. Otherwise its value is arbitrary. --dport and --sport specify the port from the point of view of the clients and origin servers.

    Once the flows are marked we can force them to be delivered locally via the loopback interface via a policy routing table.:

    1. ip rule add fwmark 1/1 table 1
    2. ip route add local 0.0.0.0/0 dev lo table 1

    The marking used is arbitrary but it must be consistent between iptables and the routing rule. The table number must be in the range 1..253.

    To configure Traffic Server set the following values in records.config

    • Check to make sure that iptables is not filtering (blocking) incoming HTTP connections.

    • Verify that IP packet forwarding is enabled.

      You can check this with:

      The output should be a non-zero value (usually ‘1’). If it is zero, you can set it with:

        This can setting can be persisted by putting it in /etc/sysctl.conf:

        1. net/ipv4/ip_forward=1

      Footnotes