When using a bridge with a management vlan on top (e.g. br0.1), you cannot use iptables to match the input vlan device, because the vlan device isn't resolved yet, i.e. "-i br0" matches, while "-i br0.1" does not, unless "net.bridge.bridge-nf-filter-vlan-tagged" (or "net.bridge.bridge-nf-call-iptables") is turned off. This happens because bridge netfilter runs before vlan device lookup, so skb->dev is set to the bridge; not the vlan device on top of the bridge. I'd like to use iptables -t nat ... -j REDIRECT only for one particular vlan. Two possible solutions come to mind: - #1, add the vlan tag to nf_bridge info for use with physdev match: "... -m physdev --vlan-id 42 ..." - #2, change bridge netfilter so that it passes in the vlan instead of the bridge as input device. Any other ideas on how to handle this? RFC patch that implements #2 follows. Thanks, Florian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
