Le mer 21/05/2003 à 02:08, Paul Albert a écrit : > I googled to determine whether an iptables > bridge that is filtering on IP addresses would be > smart enough to pick up on the fact that the packets > have 802.1Q tags or not. No definitive answer was > found. My question is just that - does iptables > notice that the tag is present or will it not know > what to do with such a packet? I would say no, but not 100% sure of this, for Netfilter as no particular knowledge about layer 2 (except for mac match). You should have a look to ebtables : http://ebtables.sourceforge.net/ ebtables is a layer 2 filtering tool for Linux bridges, that act as a Netfilter complement. In particular, it can filter 802.1q frames as such and match VLAN ID or Prio. From ebtables man : vlan Specify 802.1Q Tag Control Information fields. The protocol must be specified as 802_1Q (0x8100). --vlan-id [!] id The VLAN identifier field (VID). Decimal number from 0 to 4095. --vlan-prio [!] prio The user_priority field. Decimal number from 0 to 7. The VID should be set to 0 ("null VID") or unspecified (for this case the VID is deliberately set to 0). --vlan-encap [!] type The encapsulated Ethernet frame type/length. Specified as hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name from /etc/ethertypes. See ebtables-user@xxxxxxxxxxxxxxxxxxxxx list if needed. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
