How to use if_bridge

Fabian Keil freebsd-listen at fabiankeil.de
Sat Apr 15 21:28:58 UTC 2006 

Andrew Thompson <thompsa at freebsd.org> wrote:

> On Sat, Apr 15, 2006 at 11:53:52AM +0200, Fabian Keil wrote:
> > "Daniel O'Connor" <doconnor at gsoft.com.au> wrote:
> > 
> > > On Friday 14 April 2006 21:37, Fabian Keil wrote:
> > 
> > > > Depending on your firewall setup you might have to disable
> > > > some of the net.link.bridge sysctls as well.
> > > 
> > > I don't have any firewalls in the kernel for simplicity at this stage.
> > 
> > If I'm not mistaken you have to disable net.link.bridge.pfil_onlyip
> > then. From the if_bridge man page:
> > 
> > |net.link.bridge.pfil_onlyip  Set to 1 to only allow IP packets to
> > |                             pass when packet filtering is enabled (subject to
> > |                             firewall rules), set to 0 to unconditionally
> > |                             pass all non-IP Ethernet frames.
> > 
> > It's enabled by default.
> 
> It may not be entirely clear from the description but that sysctl only
> has affect when packet filtering is enabled, both for the on and off
> values.
> 
> At present there are only pfil(9) hooks for IP and IPv6 filters, the
> knob contols what happens when filtering is enabled and the packet is
> not IP so wont be inspected, is it passed or dropped.
> 
> I'll try and clarify the man page.

Thanks. I always interpreted the sentence as "Set to 1 to allow IP packets to
pass only if packet filtering is enabled". I thought it should prevent the
user from creating an unfiltered bridge by accident.

Another thing regarding the man page:

The example section has the following sentence "Such a con-
figuration could be used to implement a simple 802.11-to-Ethernet bridge
(assuming the 802.11 interface is in ad-hoc mode)."

I don't get the meaning of the ad-hoc mode part. In my tests if_bridge
worked in hostap mode as well, but failed in infrastructure mode. Could
you clarify if (or why not) bridging in infrastructure mode should work?

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20060415/12dcab31/signature.pgp

More information about the freebsd-net mailing list