ipfw2 mac address matching weirdness?
Andy Gilligan
andy at evo6.org
Sat Aug 2 21:45:23 PDT 2003
On Sun, Aug 03, 2003 at 03:39:24AM BST, Mike Wade wrote:
> On Sun, 3 Aug 2003, Andy Gilligan wrote:
>
> > On Sun, Aug 03, 2003 at 01:31:23AM BST, Mike Wade wrote:
> > > I'm running FreeBSD 4.8 RELEASE w/ IPFW2 support enabled. I'm running
> > > into some weirdness with the mac address matching feature or perhaps it's
> > > my lack of understanding how it interacts with other rules. :)
> > >
> > > My goal is to transparently redirect everything except a few select MAC
> > > addresses but it doesn't appear to work properly. For example:
> > >
> > > net-ninja# ipfw list
> > > 00001 skipto 65535 ip from any to any MAC any any in via sis0
> > > 00002 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in via sis0
> > > 65535 allow ip from any to any
> > >
> > > This should allow every MAC address to bypass the transparent redirect but
> > > it doesn't. If I change rule #1 to:
> > >
> > > 00001 skipto 65535 ip from any to any in via sis0
> > >
> > > Things work as advertised. Any ideas?
> >
> > Try:
> >
> > sysctl net.link.ether.ipfw=1
>
> Hmm, it was already set:
>
> net-ninja# sysctl net.link.ether.ipfw
> net.link.ether.ipfw: 1
The best advice I can give at the moment is to read the "PACKET FLOW"
section in ipfw(8).
A brief read over it suggests that it *may* not be possible to do what
you ask, due to the rules being parsed twice. (in your case)
The first pass is done from ether_demux(), and this will only match the
first rule - it won't match tcp or dst-port 80, etc.
The second pass will come from ip_input(), which will only match the
second rule, as it doesn't know anything about MAC addresses.
I could be missing something (it is 4am), so hopefully somebody will
step in and tell me I'm wrong :)
Sorry I couldn't be of more help.
Best regards,
-Andy
More information about the freebsd-net
mailing list