Simon Walter <simon@???> writes:
> On 06/06/2016 08:48 PM, Rainer Weikusat wrote:
>> Simon Walter <simon@???> writes:
>>> On 06/05/2016 12:16 AM, Rainer Weikusat wrote:
>>>> Simon Walter <simon@???> writes:
[...]
>>>>> auto br0
>>>>> iface br0 inet static
>>>>> pre-up ip tuntap add dev tap0 mode tap
>>>>> pre-up ip link set tap0 up
>>>>> post-down ip link set tap0 down
>>>>> post-down ip tuntap del dev tap0 mode tap
>>>>> bridge_ports tap0
>>>>> address 10.1.1.1
>>>>> netmask 255.255.255.0
>>>>> broadcast 10.1.1.255
[...]
>> You don't need the tap port for that, the bridge will happily work
>> without any ports statically assigned to it.
>
[...]
> Can I bring a bridge up and do iptables
> stuff with it having no interfaces that it bridges?
Sure. The bridge is just another (virtual) network interface to the
other parts of the kernel and whether or not it actually bridges
something (because it has more than one port assigned to it and there's
traffic on them) is it's own business.
>> The machines I'm dealing with use a bridge as 'main interface' a
>> principally arbitrary number of (lxc) containers connect to via veth
>> with one physical interface also assigned to the bridge to provide
>> actual connectivity. It's also possible to do packet filtering between
>> bridge ports if that's considered to be desirable/ useful.
>
> I want to filter packets between physical NIC (WAN, eth0) and a
> virtual internal network (LAN, br0/tap0???). I am basically creating
> an isolated virtual network with virtual machines all inside one
> machine.
While I haven't used this so far, it's (reportedly) possible to use
netfilter rules to filter traffic between different bridge ports.