On Wed, 2005-03-30 at 15:42, Henrik Nordstrom wrote: > On Wed, 30 Mar 2005, Craig Robson wrote: > > > When I needed this feature it wasn't security related. > > So why did you need it? > I was developing an application that needed to be deployed in a transparent bridge configuration. The deployment had two linux boxes wired in parallel to create a high availability configuration. At any given moment one unit was active and one was a backup unit. I couldn't use spanning tree to prevent loops in the network so I needed to disable forwarding on the backup unit. VRRP, etc. was used to initiate a failover at the appropriate time. > > A few months ago I patched a version of the 2.4 kernel to do this exact > > same thing. It does work as Alpt described and is useful in some > > situations. I haven't checked to see if the same functionallity is > > available using netfilter. > > I see why one would like to make a psuedo-bridge only allowing local > traffic not forwarding between bridge ports. I only say that disabling > flood forwarding of unknown destinations is the wrong approach to solve > the problem. > > Now, when reading the actual patch rather than the description I see that > this patch actually disables all forwarding within the bridge, not only > the flood forwarding, so it looks quite good (just poor description at the > start making me confused on what this patch does). But to be more general > useful the "hub" flag should be moved down to the port level rather than > global. > > But again, the exact same can be done with netfilter/ebtables (not > iptables like I mistakenly said in an earlier message) by denying > forwarding between the interfaces within the bridge. > > Regards > Henrik > - > : send the line "unsubscribe linux-net" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
