Cedric - Thanks for the info. Now that you mention the layer 3 vs. layer 2 aspects, it makes sense. It appears that I have some reading to do ... Paul -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, May 27, 2003 11:38 AM To: Paul Albert Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: iptables and 802.1q tagging Le mar 27/05/2003 à 19:22, Paul Albert a écrit : > I googled to determine whether an iptables bridge that is filtering on > IP addresses would be smart enough to pick up on the fact that the > packets have 802.1Q tags or not. No definitive answer was found. My > question is just that - does iptables notice that the tag is present > or will it not know what to do with such a packet? iptables configures IP layer (OSI 3) and dot1q is layer 2 concept. Thus, iptables cannot match dot1q extensions. Nevertheless, you can use ebtables that provides layer 2 filtering on birdged interfaces and has dot1q matching (vlan match). Using ebtables you can filter dot1q frames from classicla ones, even match VLAN id, prio and encapsulated proto. See http://ebtables.sourceforge.net/ -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
