On Tue, Apr 09, 2013 at 05:57:45 -0700, Jamal Hadi Salim wrote: > Hi, > > Consider using tc for this. > You can tag the packet using skb mark on the receiving end point, > match them on the bridge and execute actions not to forward them. Does this work at the bridge level? A packet entering a port and going out from another one can be affected by tc/mark? > > cheers, > jamal > > On 13-04-09 03:56 AM, Antonio Quartulli wrote: > > On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote: > >> The standard way to do this is to use netfilter. Considering the > >> additional device flags and skb flag changes, I am not sure that your > >> method is better. > > > > To make it a bit more clear: > > > > 1) the skb flag will be used on the "receiving end-point" by batman-adv to mark > > received packets and so instruct the bridge to do not forward them to restricted > > interfaces. > > > > 2) the IFF_ flag is used by batman-adv on the "sending side" to determine > > whether a packet has been originated by a restricted interface and so instruct > > the remote endpoint to mark the skb when received. > > > > 3) to make the bridge code general enough, I decided to let it mark packets > > coming from restricted interfaces as well so that it can also apply the policy > > at 1) locally, without any further setting. The logic described in 1) is > > therefore applied by the bridge even for local packets (not passing through > > batman-adv) > > > > > > > > Point 3) is the only one where netfilter might help. But using two mechanism to > > achieve one goal looked not sane to me and therefore I decided to to do it this > > way. And actually the code allowing point 3 is only: > > > > + skb->bridge_restricted = !!(skb->dev->flags & IFF_BRIDGE_RESTRICTED); > > > > > > I hope this summary did not create further confusion :) > > > -- Antonio Quartulli ..each of us alone is worth nothing.. Ernesto "Che" Guevara
Attachment:
pgp6lv_tzVDUh.pgp
Description: PGP signature
