FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?

Andrew Seguin asegu at borgtech.ca
Fri Dec 17 06:28:25 PST 2004 

Would changing over to RELENG_4 remove these headaches for me?

Maybe if I patch the code you pointed out to be ETHERTYPE_VLAN instead of
_IP, then ipfw will filter only VLAN traffic instead of IP traffic. This I
would be willing to do until a patch became mainstream.

So if the above works, I could just remove remote-console access and leave
the box without an IP address, and IPFW would happily work with filters such
as "deny ip from any to any $PORT"...

Thank you for your help to date, I shall stay tuned to any other ideas!

Andrew

-----Original Message-----
From: Nickolay A. Kritsky [mailto:nkritsky at star-sw.com] 
Sent: Friday, December 17, 2004 1:42 PM
To: Andrew Seguin
Cc: freebsd-net at freebsd.org
Subject: Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at
fault?

Hello Andrew,

Friday, December 17, 2004, 12:47:46 PM, Andrew Seguin wrote:

...

I cannot say for sure, because I do not have any 5.x filtering bridge
right now. But after reading some sources I think I understand what is
happening:

bdg_forward in bridge.c is calling ipfw or another packet filter:
        /*
         * NetBSD-style generic packet filter, pfil(9), hooks.
         * Enables ipf(8) in bridging.
         */
        if (!IPFW_LOADED) { /* XXX: Prevent ipfw from being run twice. */
        if (inet_pfil_hook.ph_busy_count >= 0 &&
            m0->m_pkthdr.len >= sizeof(struct ip) &&
            ntohs(save_eh.ether_type) == ETHERTYPE_IP) {

Note the last line: for VLAN tagged packet the field
save_eh.ether_type would be ETHERTYPE_VLAN instead of ETHERTYPE_IP and
no filtering will take place. That is what I think is going on. Who is
the current maintainer of bridge code in FreeBSD?

-- 
Best regards,
;  Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:nkritsky at star-sw.com




-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004

More information about the freebsd-net mailing list