Balazs Scheidler writes: > I would like to easily match a set of dynamically created interfaces > from my packet filter rules. The attached patch forms the basis of my > implementation and I would like to know whether something like this is > mergeable to mainline. [snip] > The implementation: > > Each interface can belong to a single "group" at a time, an interface > comes up without being a member in any of the groups.
You can get a similar effect by (ab)using the iflink field i.e. set the iflink to the parent interface and modify ip_tables.c:ip_packet_match to check the ifindex (or iflink if defined) for a match. An advantage of this is that it doesn't require adding any new fields and the only kernel change is to ip_tables.c:ip_packet_match (and its caller). That said, an explicit group (or zone as various firewall vendors call it) is cleaner. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
