> Q1: -on phys. iface it will work but will be hard to filter. > ..... 1 VLAN ~ 1 IP segment , in this case I can filter according to dest. > IP addres on internal iface (I hope)........... the problem will be in that that physical interface's qdisc will see packet with vlanid added (probably). So that u32 will not match it. But iptables should. devik
