1

I am trying to learn how to implement virtual interfaces using the Tap driver.

So far my understanding is that using the tap driver I can create a virtual interface and then have a userspace program attach to this interface to analyse the data coming into this device.

Now what if I attach a cisco switch to my LAN interface using a TRUNK link, forward all the packets coming into the LAN interface to the virtual tap interface and then in my program attached to this interface do some coding to analyze the vlan tag in the packet and only allow certain vlans to be forwarded to the WAN interface?

Does this sound plausible or is there is flaw in my basic understanding?

Update: Now that I have played more with it I have few more questions:

So i have my tun interface created (tun0) that does receive packets. With these packets I am doing some filtering (allowing/dropping) based on the "SRC MAC Address" in the ethernet frame. The question, how do I send the allowed packets to one of my WAN interfaces (eth0) now?

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
ankit
  • 171
  • 4
  • 13

1 Answers1

1

It's certainly possible to do this, and it's actually possible to do this with existing kernel modules today:

LAN -> (nic module) -> (dot1q module) -> (bridge module) -> (dot1q module) -> (nic module) -> WAN

Or:

eth0 -> eth0.10 -> br0 -> eth1.20 -> eth1

(takes anything tagged as vlan 10 off eth0, re-tags it as vlan 20 and pushes it out eth1, and visa-versa. Additional access control can be done using ebtables.)

If you don't need to change tags, you can simplify down to:

eth0 -> br0 -> eth1

And apply ebtables to br0.

That said, if your application can do the "eth0.10 -> br0 -> eth1.20" piece internally, though it would not require tap devices to do it, since you can read frames off one interface, filter, and write to the other.

James Cape
  • 1,067
  • 8
  • 16
  • the reason I would prefer to do it in my application is so that I can change the list of allowed vlans on the run. Also why would it require multiple tap devices ? if my application has the packet, should it not be simply a matter of reading the vlan field in the packet header (using AND, OR etc) and not forwarding the packet to a WAN if it does not meet the vlan criterion ? – ankit Mar 03 '11 at 05:46
  • I'm not suggesting you don't re-implement it, I'm saying "here's another way that you could look at for your application". Though in actuality you wouldn't need tap devices at all (I've updated the answer). If you did have tap interfaces, you'd have to bridge them to the physical interfaces anyways. – James Cape Mar 03 '11 at 12:57