On Mon, 26 Sep 2005, sebastian.ionita@xxxxxxxxxxxxxxxx wrote:
> Why doesn't iptables works with vlans?
> iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
> Gives me the error:
> host/network eth1.11 not found.
> I'm running kernel version 2.4.27. with iptables 1.2.9
> The eth1.11 exists works perfect.
Remember that iptables interface names can include wildcard matches so it
can't be checking the names anyway at the point that the rules are
interted!
In fact iptables doesn't CARE if the interface exists at the time you
create the table entry! e.g. I can happily run:
iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
iptables -t mangle -A FORWARD -i eth0 -o WibbleMe.32 -j MARK --set-mark 4
and displaying it I get:
iptables -t mangle -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth0 eth1.11 0.0.0.0/0 0.0.0.0/0 MARK set 0x4
0 0 MARK all -- eth0 WibbleMe.32 0.0.0.0/0 0.0.0.0/0 MARK set 0x4
and on that host neither exists atm. Of course they might *later* exist,
and anyway one can rename interfaces with appropriate ip commands (though
messing with the vlan tag part is unusual...)
Make sure that your version of iptables was compiled against the right
kernel-headers or bad things will happen. The kernel interfaces have
changed at least a couple of times so I (being paranoid) now ensure that I
have pairs of (kernel, iptables) to be sure that they match.,
> Seby,
-- Jon
--
Jon Peatfield, Computer Officer, DAMTP, University of Cambridge
Mail: jp107@xxxxxxxxxxxxxxx Web: http://www.damtp.cam.ac.uk/
