Hi. On Thu, May 16, 2019 at 01:28:41PM +1200, Richard Hector wrote: > Hi all, <a description of a conventional Linux bridge was here> > What I think doesn't work so well is attempting to filter traffic either > between containers,
"modproble br_netfilter", then it'll be the same netfilter rules. > or between a container and the host. Should work with the minimal hassle. A couple of rules in the FORWARD chain, and that MASQUERADE rule if you need it. > Also, ISTR people saying iptables shouldn't be used on a bridge at all. People also say that one should not use iptables at all, because nft. So what? > So before I set up my next VPS (and possibly reconfigure my older > one(s)), is there a better way I should be considering? It depends. If you need unconditional "container-container" and "host-container" traffic isolation, you'd probably better use macvlan in private mode. If you need something non-trivial - you'd probably better use openvswitch. > Do I need to use ebtables on the bridge? It'll work if you can stomach it. ebtables' is very limited compared to the iptables. > Will that work between containers? Yep. > Would I be better off using multiple bridges? Why? It'll complicate your setup for the marginal gain. > As an aside, if I get access to VLANs from my provider (I don't think > I've ever (successfully) configured VLANs on Linux before), I assume I > can include a VLAN in each bridge, and I guess leave the default one out? You can bridge a tagged network interface with a non-tagged one, it'll work. You can make a bridge on top of non-tagged interfaces, and VLANs on top of it. It all really depends on what you're trying to achieve with 802.1q. Reco
