RFC: bridge netfilter vlan device name resolution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When using a bridge with a management vlan on top (e.g. br0.1), you
cannot use iptables to match the input vlan device, because the vlan
device isn't resolved yet, i.e.  "-i br0" matches, while "-i br0.1"
does not, unless "net.bridge.bridge-nf-filter-vlan-tagged" (or
"net.bridge.bridge-nf-call-iptables") is turned off.

This happens because bridge netfilter runs before
vlan device lookup, so skb->dev is set to the bridge; not
the vlan device on top of the bridge.

I'd like to use iptables -t nat ... -j REDIRECT only for one particular vlan.

Two possible solutions come to mind:

- #1, add the vlan tag to nf_bridge info for use with physdev match:
  "... -m physdev --vlan-id 42 ..."
- #2, change bridge netfilter so that it passes in the vlan instead of
  the bridge as input device.

Any other ideas on how to handle this?

RFC patch that implements #2 follows.

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux