Bart De Schuymer <bdschuym@xxxxxxxxxx> wrote: > Op 26/03/2012 22:21, Florian Westphal schreef: > > When using a bridge with a management vlan on top (e.g. br0.1), you > > cannot use iptables to match the input vlan device, because the vlan > > device isn't resolved yet, i.e. "-i br0" matches, while "-i br0.1" > > does not, unless "net.bridge.bridge-nf-filter-vlan-tagged" (or > > "net.bridge.bridge-nf-call-iptables") is turned off. > > > > This happens because bridge netfilter runs before > > vlan device lookup, so skb->dev is set to the bridge; not > > the vlan device on top of the bridge. > > > > I'd like to use iptables -t nat ... -j REDIRECT only for one particular vlan. > > > > Two possible solutions come to mind: > > > > - #1, add the vlan tag to nf_bridge info for use with physdev match: > > "... -m physdev --vlan-id 42 ..." > > - #2, change bridge netfilter so that it passes in the vlan instead of > > the bridge as input device. > > > > Any other ideas on how to handle this? > > I don't like approach #2: it will break existing firewall configurations > and I really don't see a reason why we would change the network device > to a non-bridge device (br0.1 isn't a bridge). Approach #1 can be > achieved without code changes with the nfmark field as shown below. > > You can filter on the vlan id in iptables by using the nfmark field > intelligently, see e.g. > http://ebtables.sourceforge.net/examples/basic.html#ex_network_separation However, the REDIRECT target won't work with vlans on the bridge, because skb->dev points to the bridge instead of the vlan, and thus the REDIRECT target fails to get the ip address. Would at least the PRE_ROUTING part of my patch be acceptable to make REDIRECT work? Thanks, Florian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
