Bart De Schuymer <bdschuym@xxxxxxxxxx> wrote: > > Two possible solutions come to mind: > > > > - #1, add the vlan tag to nf_bridge info for use with physdev match: > > "... -m physdev --vlan-id 42 ..." > > - #2, change bridge netfilter so that it passes in the vlan instead of > > the bridge as input device. > > > > Any other ideas on how to handle this? > > I don't like approach #2: it will break existing firewall configurations > and I really don't see a reason why we would change the network device > to a non-bridge device (br0.1 isn't a bridge). Approach #1 can be > achieved without code changes with the nfmark field as shown below. > > You can filter on the vlan id in iptables by using the nfmark field > intelligently, see e.g. > http://ebtables.sourceforge.net/examples/basic.html#ex_network_separation I see, but this 'do it with nfmark' is really getting out of hand, because thats what everyone says for everything (be it qos, tproxy/policy routing, L7/DPI crap, ...). I only need the vlan identification in nat PREROUTING so perhaps i can re-use some of that machines QoS nfmarks here and re-set the nfmarks in the mangle table, thanks for the hint. Pablo, please toss the patch -- I'll come up with something else in case the nfmark solution won't work for me. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
