Matthew,
I made my hack for the 2.2.12 which didn't include your modifications and it
worked well for me (I wasn't using neither spoof protection or firewalling code).
Your solution with the new brg0 interface is much better than mine. Forget it,
I haven't realized the new 2.2.14 bridge functionality when I wrote my last
message.
By the way, you were talking about bridge with firewall. I'm doing this
dropping packets with classes and filters (u32) at the queue level, but I have
seen a patch on the web that creates a new chain within ipchains to filter the
data that crosses the bridge. Do you (and Alan) think there is a better solution ?
The mini-howto bridge+firewall solution is a shame...
Regards,
Miguel Freitas
Matthew Grant wrote:
> Miguel,
>
> Picture the bridge as an ethernet wire, brg0 is the ehthernet interface
> on to this one bit of wire. The approach you detail below does not work
> well with the IP filter code, and you will get some other strange
> effects as when a packet is received, the interface it is received from
> is bound to the packet. This identity can be used by the higher layer
> protocols, as in the IPv4 firewalling/filtering. The brg0 device gets
> around this by assigning its own interface identity to the packets
> intended for the machine itself. Nothing is lost, because the IP
> filters for instance never looked at packets traversing the bridge as
> they are further up in the IP stack. The tool for configuring the new
> bridge code in 2.2.14 can be found here:
>
> http://lrp.plain.co.nz/tarballs/bridgex_0.30.tar.gz
>
> This will enable the ethernet interfaces you require for bridging, as by
> default they are now turned off.
>
> cheers,
>
> Matthew Grant
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:19 EST