netfilter: bridge: optionally set indev to vlan

if net.bridge.bridge-nf-filter-vlan-tagged sysctl is enabled, bridge
netfilter removes the vlan header temporarily and then feeds the packet
to ip(6)tables.

When the new "bridge-nf-pass-vlan-input-device" sysctl is on
(default off), then bridge netfilter will also set the
in-interface to the vlan interface; if such an interface exists.

This is needed to make iptables REDIRECT target work with
"vlan-on-top-of-bridge" setups and to allow use of "iptables -i" to
match the vlan device name.

Also update Documentation with current brnf default settings.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 11 insertions, 2 deletions

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 90b0c4fd275b..6f896b94abdc 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1301,13 +1301,22 @@ bridge-nf-call-ip6tables - BOOLEAN
 bridge-nf-filter-vlan-tagged - BOOLEAN
         1 : pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables.
         0 : disable this.
-        Default: 1
+        Default: 0
 
 bridge-nf-filter-pppoe-tagged - BOOLEAN
         1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
         0 : disable this.
-        Default: 1
+        Default: 0
 
+bridge-nf-pass-vlan-input-dev - BOOLEAN
+        1: if bridge-nf-filter-vlan-tagged is enabled, try to find a vlan
+        interface on the bridge and set the netfilter input device to the vlan.
+        This allows use of e.g. "iptables -i br0.1" and makes the REDIRECT
+        target work with vlan-on-top-of-bridge interfaces.  When no matching
+        vlan interface is found, or this switch is off, the input device is
+        set to the bridge interface.
+        0: disable bridge netfilter vlan interface lookup.
+        Default: 0
 
 proc/sys/net/sctp/* Variables: