I have the following IF configuration:
eth0 --- br0 --- eth1
I receive udp broadcast transmission (on port 20000) on eth1 and do not want the bridge to forward it to eth0 (my wired interface). Hence, I apply
ebtables -t filter -A FORWARD -o eth0 -p 0x0800 --ip-protocol udp --ip-destination-port 20000 -j DROP
That works great for me. When I am running my device in VLAN mode, i.e. with the following configuration,
eth0 --- br0 --- eth1
|
br0.100
here I have added a VLAN-enabled bridge to manage radio on VLAN 100. The traffic arrives tagged on eth1 and I am unable to detect it using the same rule when it goes through the bridge.
Tried to detect the packets with iptables and ebtables with its vlan options. Were not able to filter them by udp port via ebtables. Moreover, could not find the method to mark them by port via iptables. Also, tried marking using physdev without success.
Is there a right method to do this for a tagged stream?
Advertisement
Answer
You may not be able to see 802.1Q encapsulated bridged packets with iptables by default.
To enable this, do:
echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged
See http://ebtables.netfilter.org/documentation/bridge-nf.html
Now, you can filter those packets with iptables. You should find out how to match the destination port in the packet with something like:
iptables -A FORWARD -m u32 --u32 "W&0xFFFF=0x4E20" -j DROP
where 0x4E20 is your port (20000) and W is the offset of your 4 byte match (note that you are matching only last two bytes with 0x0000FFFF). You have to find out what the W is.
See iptables man page for details on u32 match.