Matt Zagrabelny a écrit :
On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote:
Matt Zagrabelny a écrit :
If so, you can do MAC filtering (performance shouldn't matter as the MAC
address is in the link header)
Can you please elaborate about the relationship beween filtering
performance and the address layer ?
There is nothing to elaborate on. ;)
The frame contains the MAC address. This is what iptables will be
looking at. If the box running iptables is on the same network/vlan as
the rest of the traffic it is expecting to filter, then it will have MAC
addresses of actual hosts, however, if traffic is coming from a
different network/vlan then said traffic will have been routed and the
frame will have changed, thus the MAC address will be the MAC of the
network boundary, namely the router/gateway.
Sorry, but I still do not see the point in "performance shouldn't matter
as the MAC address is in the link header". Performance (read : speed) is
mostly related to the number of rules, isn't it ?
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
