Le mar 27/05/2003 à 19:22, Paul Albert a écrit : > I googled to determine whether an iptables bridge that is filtering on > IP addresses would be smart enough to pick up on the fact that the > packets have 802.1Q tags or not. No definitive answer was found. My > question is just that - does iptables notice that the tag is present or > will it not know what to do with such a packet? iptables configures IP layer (OSI 3) and dot1q is layer 2 concept. Thus, iptables cannot match dot1q extensions. Nevertheless, you can use ebtables that provides layer 2 filtering on birdged interfaces and has dot1q matching (vlan match). Using ebtables you can filter dot1q frames from classicla ones, even match VLAN id, prio and encapsulated proto. See http://ebtables.sourceforge.net/ -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
