[lug] netfilter strangeness

[Sean Reifschneider]

On Mon, May 30, 2005 at 12:39:49PM -0600, Daniel Webb wrote:
>I should have mentioned that eth1 is the wireless device, and nothing is
>connected to the ethernet LAN ports.  So for two machines on the LAN to

My understanding is that an Access Point in infrastructure mode doesn't
pass the wireless machine-to-machine traffic through the kernel routing
or other layers in the kernel, they get shunted off to the other machines
by the wireless AP driver and you really don't have an opportunity to do
filtering or shaping on them.  This would also explain why in!=out.  It's
similar in notion to running a switch between the internal machines, but
the wireless AP driver is implementing this switching.  In promiscuous mode
you can see these packets, but not control them.

>I believe I read in the OpenWRT documents that you can also split all 4
>ethernet LAN ports and route them separately, which is pretty impressive for a
>$65 router.

My understanding is that you can't deal with the 4 different switch ports
independantly, literally, but you can enable VLANing on them to effectively
treat them as different interfaces.  So, even more impressively, you could
hook 5 48-port switches using VLAN tagging to this box effectively giving you
240 independant ethernet ports you could route among.  Of course your
backbond bandwidth is only a few hundred megabits, but you get the idea.

Sean
-- 
 No man has a natural right to commit aggression on the equal rights of
 another, and this is all from which the laws ought to restrain him. -- T.J.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability