From: Bart De Schuymer <bdschuym@pandora.be>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: RFC: bridge netfilter vlan device name resolution
Date: Tue, 27 Mar 2012 19:34:02 +0200 [thread overview]
Message-ID: <4F71FA0A.9010503@pandora.be> (raw)
In-Reply-To: <20120326202124.GA15638@Chamillionaire.breakpoint.cc>
Op 26/03/2012 22:21, Florian Westphal schreef:
> When using a bridge with a management vlan on top (e.g. br0.1), you
> cannot use iptables to match the input vlan device, because the vlan
> device isn't resolved yet, i.e. "-i br0" matches, while "-i br0.1"
> does not, unless "net.bridge.bridge-nf-filter-vlan-tagged" (or
> "net.bridge.bridge-nf-call-iptables") is turned off.
>
> This happens because bridge netfilter runs before
> vlan device lookup, so skb->dev is set to the bridge; not
> the vlan device on top of the bridge.
>
> I'd like to use iptables -t nat ... -j REDIRECT only for one particular vlan.
>
> Two possible solutions come to mind:
>
> - #1, add the vlan tag to nf_bridge info for use with physdev match:
> "... -m physdev --vlan-id 42 ..."
> - #2, change bridge netfilter so that it passes in the vlan instead of
> the bridge as input device.
>
> Any other ideas on how to handle this?
I don't like approach #2: it will break existing firewall configurations
and I really don't see a reason why we would change the network device
to a non-bridge device (br0.1 isn't a bridge). Approach #1 can be
achieved without code changes with the nfmark field as shown below.
You can filter on the vlan id in iptables by using the nfmark field
intelligently, see e.g.
http://ebtables.sourceforge.net/examples/basic.html#ex_network_separation
cheers,
Bart
--
Bart De Schuymer
www.artinalgorithms.be
next prev parent reply other threads:[~2012-03-27 17:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-26 20:21 RFC: bridge netfilter vlan device name resolution Florian Westphal
2012-03-26 20:23 ` [RFC PATCH] netfilter: bridge: change indev name to vlan if vlan tag present Florian Westphal
2012-03-27 15:37 ` Pablo Neira Ayuso
2012-03-27 17:34 ` Bart De Schuymer [this message]
2012-03-27 20:19 ` RFC: bridge netfilter vlan device name resolution Florian Westphal
2012-04-02 9:25 ` Florian Westphal
2012-04-03 12:18 ` Bart De Schuymer
2012-04-03 20:47 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F71FA0A.9010503@pandora.be \
--to=bdschuym@pandora.be \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).