Re: iptables and 802.1q tagging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le mer 21/05/2003 à 02:08, Paul Albert a écrit :
> I googled to determine whether an iptables 
> bridge that is filtering on IP addresses would be 
> smart enough to pick up on the fact that the packets 
> have 802.1Q tags or not.  No definitive answer was 
> found.  My question is just that - does iptables 
> notice that the tag is present or will it not know 
> what to do with such a packet?

I would say no, but not 100% sure of this, for Netfilter as no
particular knowledge about layer 2 (except for mac match). You should
have a look to ebtables :

	http://ebtables.sourceforge.net/

ebtables is a layer 2 filtering tool for Linux bridges, that act as a
Netfilter complement. In particular, it can filter 802.1q frames as such
and match VLAN ID or Prio. From ebtables man :

   vlan
	Specify  802.1Q Tag Control Information fields. The protocol
	must be specified as 802_1Q (0x8100).
                                                                
	--vlan-id [!] id
		The VLAN identifier field (VID). Decimal number from 0
		to 4095.

	--vlan-prio [!] prio
		The  user_priority field. Decimal number from 0 to 7.
		The VID should be set to 0 ("null VID") or unspecified
		(for this case the VID is deliberately set to 0).
 
	--vlan-encap [!] type
		The encapsulated Ethernet frame type/length. Specified
		as hexadecimal number from 0x0000 to 0xFFFF or as a
		symbolic name from /etc/ethertypes.

See ebtables-user@xxxxxxxxxxxxxxxxxxxxx list if needed.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux