On Wed, 2006-08-02 at 21:08 -0700, Stephen J. Bevan wrote: > Balazs Scheidler writes: > > I would like to easily match a set of dynamically created interfaces > > from my packet filter rules. The attached patch forms the basis of my > > implementation and I would like to know whether something like this is > > mergeable to mainline. > [snip] > > The implementation: > > > > Each interface can belong to a single "group" at a time, an interface > > comes up without being a member in any of the groups. > > You can get a similar effect by (ab)using the iflink field i.e. set > the iflink to the parent interface and modify > ip_tables.c:ip_packet_match to check the ifindex (or iflink if > defined) for a match. An advantage of this is that it doesn't require > adding any new fields and the only kernel change is to > ip_tables.c:ip_packet_match (and its caller). That said, an explicit > group (or zone as various firewall vendors call it) is cleaner.
I could hack a solution together, but I'd prefer to do this cleanly, preferably as a patch in mainline. I would like to incorporate this functionality in our product. -- Bazsi - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
