PF rule on bridged interface won't match
Csaba Urban
ucsaba at freemail.hu
Sun Nov 20 05:21:23 GMT 2005
The bridge would be a gateway for the hosts which are on member
interfaces. I would like to control which IP adresses they can use on a
particular interface (i.e. 192.168.1.5 on vlan1, etc.). It seems that it
won't work this way.
Anyway, it can be done using the old bridge but I think it would be
more convenient if packets destined for/ originated from the bridge
itself were also handled to pfil_hooks when entering/leaving member
interfaces.
Andrew Thompson <thompsa at freebsd.org> írta:
> On Fri, Nov 18, 2005 at 03:50:42PM +0100, Csaba Urban wrote:
> > Hi,
> >
> > I can't have packets match on PF rules on a member of if_bridge if
it is
> > not bridged but comes from an other IP interface. Bridged packets
> > match correctly.
> >
> > bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
> > inet 192.168.1.1 netmask 0xffffffe0
> > ether ac:de:48:af:bc:8f
> > priority 32768 hellotime 2 fwddelay 15 maxage 20
> > member: vlan3 flags=3<LEARNING,DISCOVER>
> > member: vlan2 flags=3<LEARNING,DISCOVER>
> > member: vlan1 flags=3<LEARNING,DISCOVER>
> >
> > PF rule:
> > pass in on vlan1 all
> > pass out on vlan1 all
> >
> > This rule matches only if traffic is bridged (goes directly layer2 from
> > vlan1 to vlan2 or vlan3). If it is delivered to the IP layer or it comes
from
> > there then it won't match.
>
> This is how its currently implemented. You can match locally generated
> packets on the bridge0 interface, is that sufficient for your setup?
>
>
> Andrew
>
_______________________________________________________________________
Rendelj képet és nyerjél gépet a T-Online Fotótárával december 15-ig.
http://www.t-online.hu
More information about the freebsd-net
mailing list