From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: ebtables & VLAN redirect
Date: Tue, 29 Jun 2010 14:31:02 -0500 [thread overview]
Message-ID: <4C2A49F6.2060704@riverviewtech.net> (raw)
In-Reply-To: <4C2A49A3.1030600@riverviewtech.net>
On 06/29/10 14:29, Grant Taylor wrote:
> The simple fact that you have the amount of incoming traffic that you
> want to filter and forward a subset of implies that there will be CPU
> time spent analyzing which traffic to forward.
Along these lines, I have what some might consider a devious idea.
Create a bridge for each VLAN. That will give you the VLAN interface
and it's associated bridge interface. Then bridge the bridge interfaces
in to a larger bridge.
Using all the smaller bridges will keep the possible rules that you need
to match smaller, thus less load on the CPU. You could also turn down
the VLANs individual bridge when you didn't want to monitor any traffic
on it, thus reducing the load further.
So, you would end up with a topology somewhat like this:
eth0.101 <-> br101 <-> br9
eth0.102 <-> br102 <-> br9
eth0.103 <-> br103 <-> br9 <-> eth1.9
...
eth0.199 <-> br199 <-> br9
In this case, br9 is nothing more than a collector from all the other
bridges.
It's the interaction between eth0.<VID> and br<VID> that has to do the
filtering.
When you don't want to monitor traffic on say, eth0.123, simply remove
it from br123. Doing so will cause br123 to disable (but not remove)
its self which will cause br9 to disable the port that is br123. -
Then when you want to monitor eth0.123, re-add it to br123, causing
br123 to re-enable, causing br9 to re-enable br123's port.
Using br9 to aggregate all the VLANs together will also make it easier /
less load to make sure that you don't have inter-VLAN communications
because only the traffic you are interested in will make it that far,
not all the traffic that you are talking about. Seeing as how there
will be much less traffic, matching the EBTables rules to see what can
talk to what (for br9) will be much less load on the system.
Something to think about.
Grant. . . .
next prev parent reply other threads:[~2010-06-29 19:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-26 12:43 ebtables & VLAN redirect Anatoly Muliarski
2010-06-26 16:41 ` Grant Taylor
2010-06-27 6:04 ` Anatoly Muliarski
2010-06-28 2:14 ` Grant Taylor
2010-06-28 17:33 ` Anatoly Muliarski
2010-06-28 20:45 ` Grant Taylor
2010-06-29 18:15 ` Anatoly Muliarski
2010-06-29 19:29 ` Grant Taylor
2010-06-29 19:31 ` Grant Taylor [this message]
2010-06-30 3:20 ` /dev/rob0
2010-06-30 3:33 ` Grant Taylor
2010-06-30 20:54 ` Anatoly Muliarski
2010-06-30 21:09 ` Grant Taylor
2010-06-30 21:21 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C2A49F6.2060704@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).