Skip to content
Advertisement

Filtering out VLAN tagged packets on Linux bridge [closed]

I have the following IF configuration:

eth0 --- br0 --- eth1 

I receive udp broadcast transmission (on port 20000) on eth1 and do not want the bridge to forward it to eth0 (my wired interface). Hence, I apply

ebtables -t filter -A FORWARD -o eth0 -p 0x0800 --ip-protocol udp --ip-destination-port 20000 -j DROP

That works great for me. When I am running my device in VLAN mode, i.e. with the following configuration,

eth0 --- br0 --- eth1 
          |
       br0.100

here I have added a VLAN-enabled bridge to manage radio on VLAN 100. The traffic arrives tagged on eth1 and I am unable to detect it using the same rule when it goes through the bridge.

Tried to detect the packets with iptables and ebtables with its vlan options. Were not able to filter them by udp port via ebtables. Moreover, could not find the method to mark them by port via iptables. Also, tried marking using physdev without success.

Is there a right method to do this for a tagged stream?

Advertisement

Answer

You may not be able to see 802.1Q encapsulated bridged packets with iptables by default.

To enable this, do:

echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged

See http://ebtables.netfilter.org/documentation/bridge-nf.html

Now, you can filter those packets with iptables. You should find out how to match the destination port in the packet with something like:

iptables -A FORWARD -m u32 --u32 "W&0xFFFF=0x4E20" -j DROP

where 0x4E20 is your port (20000) and W is the offset of your 4 byte match (note that you are matching only last two bytes with 0x0000FFFF). You have to find out what the W is.

See iptables man page for details on u32 match.

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement