[Bridge] Bridging vlans...
jjones at djc.state.id.us
Thu Mar 25 17:44:51 PST 2004
Now, with iptables, under the first scenario (creating 2 vlan interfaces per
physical interface, and bridging the vlan interfaces), can I safely DROP
everything to, from, or through eth0 & eth1? That is, assuming I don't want
to forward any untagged frames.
iptables -N only_tagged
iptables -A only_tagged -j LOG --log-prefix " untagged? "
iptables -A only_tagged -j DROP
iptables -A INPUT -i eth0 -j only_tagged
iptables -A INPUT -i eth1 -j only_tagged
iptables -A OUTPUT -i eth0 -j only_tagged
iptables -A OUTPUT -i eth1 -j only_tagged
iptables -A FORWARD -i eth0 -j only_tagged
iptables -A FORWARD -i eth1 -j only_tagged
Then do my more granular filtering on the vlan interfaces...
(guess this would be something to ask the vlan mailing list people -- but
what the heck, this list isn't terribly busy anyway)
I imagine I'll have to come up with a fairly complex matrix of --physdev-in,
--physdev-out, etc. combinations. Yikes.
> -----Original Message-----
> From: bridge-bounces at lists.osdl.org
> [mailto:bridge-bounces at lists.osdl.org] On Behalf Of John W. Linville
> Sent: Thursday, March 25, 2004 5:56 AM
> To: Jeremy Jones
> Cc: bridge at lists.osdl.org
> Subject: Re: [Bridge] Bridging vlans...
> I have no specific experience with a situation like yours. But, that
> won't stop me from rendering an opinion... :-)
> I, too, would lean toward the first at least partly for the
> reason you
> describe. But, you should also consider untagged frames and
> frames with
> other VLAN IDs. The second configuration should bridge all frames
> (tagged or untagged), while the first will only be bridging
> frames with
> VLAN IDs of 4 or 51. I'm not sure which is your desired
> behaviour, but
> I suspect it is the first configuration which you should prefer.
More information about the Bridge