Are there tools to define in Linux something similar to Policy-based Routing, but on Layer2 level? Usual Linux bridge uses destination MAC to decide, which interface to send frame to. Can this behavior be altered?

Let's say we have a machine with several interfaces - physical, virtual, VLAN-tagged subinterfaces, etc. A frame arrives at one of them. Can we decide, which outgoing interface the frame will be delivered to, according to parameters such as VLAN tag in the frame, source MAC address, source interface, 802.1p priority, etc.?

Hello ,

You can use ebtables .

Thanks

Thanks, vishesh, I read about ebtables, but I haven't found a way how to set them to modify forwarding decision of a bridge or make Linux to push frames to specific interface. All I've found is how to _filter_ the traffic.

Do you have an idea, how ebtables may be used in this fashion?

Linux does support VLANs (IEEE 802.11Q). You need to have the the needed kernel modules loaded and configure the bridge devices.

Here is a good article about it from Linux Journal a couple years back:
http://m.linuxjournal.com/article/10821

It includes a contrived example of a firewall with just one interface.

The link appears to be broken.

Anyway, I know about 802.1q and actually use it in my config. But how does it help me in this case?

My setup looks like this:
* There are several KVM guests with virtual interfaces vnet1, vnet2, etc. These VMs send traffic, which is already VLAN-tagged.
* There are several VLAN-tagged sub-interfaces on the hypervisor: eth1.X, eth1.Y, etc.
* Bridges are used to switch frames between vnets and tagged sub-interfaces - for example, bridge1 unites vnet1, vnet2 and eth1.X.
* So when a guest VM sends frame on its vnet with VLAN tag N, then it's transmitted over physical interface eth1 with two tags: external (X) and internal (N).
* My aim is this: to make external tag be chosen according to the range of internal tags. For example, if N is in [501:600], then frame would be pushed to eth1.X, and the frame will be double-tagged by X:N. Otherwise - by Y:N.

Is there a way to achieve that?

QinQ is used for trunking, to wrap your traffic through a trunk which has its own vlan.

A vlan is associated with a particular virtual device so you can use the device e.g. -i eth0.15 in an iptables rule. (I did see an -vlan argument in a thread once, but don't know if it's valid. ).

I don't see why you don't match vlan id's on the hypervisor with the ones on the VMs. From your description, it seems as if you have 10 times the vlans as VMs.

There is also arptables and ebtables. Which might be useful.

Try this link again:
http://www.linuxjournal.com/article/10821
It worked when I checked.