diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-05-08 13:36:44 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-05-08 13:36:47 -0400 |
| commit | 4981682cc19733f3ca43d3abd81dd4adbc9005d5 (patch) | |
| tree | 6c4583e26b8f12559defc11d0c141011a71e3de1 /Documentation/networking | |
| parent | ac3a546ac89fdf3c4b50e40039a5a7f6df4dda72 (diff) | |
netfilter: bridge: optionally set indev to vlan
if net.bridge.bridge-nf-filter-vlan-tagged sysctl is enabled, bridge
netfilter removes the vlan header temporarily and then feeds the packet
to ip(6)tables.
When the new "bridge-nf-pass-vlan-input-device" sysctl is on
(default off), then bridge netfilter will also set the
in-interface to the vlan interface; if such an interface exists.
This is needed to make iptables REDIRECT target work with
"vlan-on-top-of-bridge" setups and to allow use of "iptables -i" to
match the vlan device name.
Also update Documentation with current brnf default settings.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'Documentation/networking')
| -rw-r--r-- | Documentation/networking/ip-sysctl.txt | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index 90b0c4fd275b..6f896b94abdc 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
| @@ -1301,13 +1301,22 @@ bridge-nf-call-ip6tables - BOOLEAN | |||
| 1301 | bridge-nf-filter-vlan-tagged - BOOLEAN | 1301 | bridge-nf-filter-vlan-tagged - BOOLEAN |
| 1302 | 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. | 1302 | 1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables. |
| 1303 | 0 : disable this. | 1303 | 0 : disable this. |
| 1304 | Default: 1 | 1304 | Default: 0 |
| 1305 | 1305 | ||
| 1306 | bridge-nf-filter-pppoe-tagged - BOOLEAN | 1306 | bridge-nf-filter-pppoe-tagged - BOOLEAN |
| 1307 | 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. | 1307 | 1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables. |
| 1308 | 0 : disable this. | 1308 | 0 : disable this. |
| 1309 | Default: 1 | 1309 | Default: 0 |
| 1310 | 1310 | ||
| 1311 | bridge-nf-pass-vlan-input-dev - BOOLEAN | ||
| 1312 | 1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan | ||
| 1313 | interface on the bridge and set the netfilter input device to the vlan. | ||
| 1314 | This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT | ||
| 1315 | target work with vlan-on-top-of-bridge interfaces. When no matching | ||
| 1316 | vlan interface is found, or this switch is off, the input device is | ||
| 1317 | set to the bridge interface. | ||
| 1318 | 0: disable bridge netfilter vlan interface lookup. | ||
| 1319 | Default: 0 | ||
| 1311 | 1320 | ||
| 1312 | proc/sys/net/sctp/* Variables: | 1321 | proc/sys/net/sctp/* Variables: |
| 1313 | 1322 | ||