5.4 -- bridging, ipfw, dot1q
Jeremie Le Hen
jeremie at le-hen.org
Fri Aug 12 22:49:47 GMT 2005
Hi,
> I am afraid the existing code cannot help you.
> The packets you see are encapsulated in 802.1q aka VLAN frames,
> and since ipfw2 does not try to decapsulate the packets, you
> don't get to see the IP headers.
>
> Your most reasonable option would be to write a new ipufw2 opcode,
> say something like 'vlan-decap x-y', which succeeds if the packet has
> a vlan header in the range x to y, and in this case skips the VLAN header,
> tries to re-parse the header fields as in the beginning of
> ip_fw_chk() after the section
>
> /*
> * Collect parameters into local variables for faster matching.
> */
>
> and then continues.
> It's not a lot of code, in the worst case you can just cut&paste
> the relevant 50-60 lines from the beginning of the code
> (though of course it would be nice to rearrange the code to
> reduce duplication).
>
> By doing this you can do something like
>
> ipfw add skipto 1000 vlan-decap 1-50
>
> and then process vlans 1 to 50 at line 1000.
> Maybe it is a good idea to split the vlan-id matching and the decapsulation.
Isn't it posible to cheat using vlan(4) interface ? I think it's
possible to create them in order to use its code to zap the VLAN header
and then use ipfw to filter on these vlan(4) interfaces. This isn't
more than a workaround, but it might help.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-hackers
mailing list