vlan target for iptables
Harald Welte
laforge at netfilter.org
Fri Oct 21 14:17:59 CEST 2005
On Mon, Aug 08, 2005 at 05:18:28PM +0100, Amin Azez wrote:
> Please consider this for inclusion in iptables. Should this go in pom?
I would merge it, once I'm sure that it is safe to use ;)
> This adds --vlan target matching for iptables.
> Useful when running as a bridge and perhaps in other cases.
>
> I'm afraid I had to steal the vlan packet matching code IS_VLAN_* from
> one of the vlan modules as it was private to that module. I hate
> having to do that.
Well, it actually makes sense since you cannot know whether the local
network stack actually has vlan support (and therefore has those
functions for vlan matching).
> For user-space:
>
> Just add dump libipt_vlan.c extensions and add vlan to PF_EXT_SLIB
> definition in extensions/Makefile
>
> I'm not sending a patch for extensions/Makefile that because it's bound
> to fail applying with all the PF_EXT_SLIB stuff all on one line.
The question is:
What happens with packets that don't have a vlan tag?
In order to alway work, it has to be sure that
1) you can match on all valid vlan tag numbers plus "NONE" for no tag
2) the kernel code produces reasonable results, i.e. also cleanly
deals with (and matches) packets that don't have a vlan tag.
Cheers,
Harald
--
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20051021/187aabb8/attachment.pgp
More information about the netfilter-devel
mailing list