On Wed, 30 Mar 2005, Craig Robson wrote:
When I needed this feature it wasn't security related.
So why did you need it?
A few months ago I patched a version of the 2.4 kernel to do this exact same thing. It does work as Alpt described and is useful in some situations. I haven't checked to see if the same functionallity is available using netfilter.
I see why one would like to make a psuedo-bridge only allowing local traffic not forwarding between bridge ports. I only say that disabling flood forwarding of unknown destinations is the wrong approach to solve the problem.
Now, when reading the actual patch rather than the description I see that this patch actually disables all forwarding within the bridge, not only the flood forwarding, so it looks quite good (just poor description at the start making me confused on what this patch does). But to be more general useful the "hub" flag should be moved down to the port level rather than global.
But again, the exact same can be done with netfilter/ebtables (not iptables like I mistakenly said in an earlier message) by denying forwarding between the interfaces within the bridge.
Regards Henrik - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
