2010/6/28 Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx>: > Will you please provide an example of what redirection you are talking > about? Unfortunately, I have a set of tasks to cope with. 1. UDP broadcast relaying for specific ports from specific VLANs - on second thought I've decided to use udp-broadcast-relay as it's the simplest way. 2. Multicast feeding and IGMP exchange snooping - I tried to avoid using igmpproxy but probably I should use it. 3. Mirroring specific sessions to VLAN 9 - and I can postpone this task for the future. > > Remember that you can set a default policy of DROP in your BROUTING chain to > cause the packets to be routed like normal. So any frames that you don't > want bridged will simply be routed like normal. There by only bridging the > frames that you want to. Yes, I knew about it - very nice feature. >> That would work but I need to redirect traffic that is not destined to >> VLAN 9 and ARP-proxy trick does not work for this case. > > So you are going to have to intercept the traffic and alter the destination > MAC (and possibly IP) address(es)? For mirroring purpose I have to alter destination MAC and I can do that in POSTROUTING chain. Other tasks use broadcast/multicast destination addresses so I do not need to alter them. > > I believe that EBTables can do that. If not, you can probably have IPTables > work on bridged frames, and I know that it will do that. > > I'm still not sure that you can't do what you want to do with EBTables and / > or IPTables. > > Remember that EBTables will learn where MAC addresses are and won't flood > frames out (go in to dumb hub mode). > > I don't think you will be bridging too many packets. (That is unless I > really misunderstand what you are wanting to do.) Bridging is a good idea, but its current implementation lacks some features important to me - as impossibility to limit traffic directions between bridge devices and the fact that a network device can belong to one bridge only. > > Can you provide an example (sanitized if need be) of what you are trying to > do? Including (hypothetical) source and destination MAC and IP addresses on > either side of the bridge? In two words :). All user VLANs(eth1.100-eth1.200) have IP belonging to one subnet( but sometimes to other ) and they can communicate each other by using proxy-arp trick under control of the router. And now I need to extend capabilities of this communication as I stated above. Owing to talking with you and thinking on the problems I understand my tasks clearer. Grant, thank you for your support. -- Best regards Anatoly Muliarski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
