Bridge

[Andrew Thompson]

On Thu, Sep 14, 2006 at 08:38:02AM +0400, Eygene Ryabinkin wrote:
> Andrew, good day!
> 
> > The check for ARP happens before the ipfw layer2 code so it isnt
> > currently possible to filter them. 
> > 
> >      switch (ether_type) {
> > 	     case ETHERTYPE_ARP:
> > 	     case ETHERTYPE_REVARP:
> > 		     return (0); /* Automatically pass */
> I am a bit confused because in the another thread (also created by
> Jon Otterholm) you've answered that
> -----
> The only way that you will be able to filter ARP packets is by setting
> pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering.
> -----
> citing the same code. Am I understand something incorrectly or these
> two answers do contradict with each other?

Yes, thats just me being stupid :)

My first answer to Jon was not correct, you can not currently filter
ARP. I have attached a patch that should make this possible my
rearranging things.

Thanks for pointing it out.


Andrew
-------------- next part --------------
Index: if_bridge.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if_bridge.c,v
retrieving revision 1.79
diff -u -p -r1.79 if_bridge.c
--- if_bridge.c	25 Aug 2006 20:11:56 -0000	1.79
+++ if_bridge.c	14 Sep 2006 04:38:50 -0000
@@ -490,11 +490,9 @@ sysctl_pfil_ipfw(SYSCTL_HANDLER_ARGS)
 		/*
 		 * Disable pfil so that ipfw doesnt run twice, if the user
 		 * really wants both then they can re-enable pfil_bridge and/or
-		 * pfil_member. Also allow non-ip packets as ipfw can filter by
-		 * layer2 type.
+		 * pfil_member.
 		 */
 		if (pfil_ipfw) {
-			pfil_onlyip = 0;
 			pfil_bridge = 0;
 			pfil_member = 0;
 		}
@@ -2736,34 +2734,6 @@ bridge_pfil(struct mbuf **mp, struct ifn
 		}
 	}
 
-	/*
-	 * If we're trying to filter bridge traffic, don't look at anything
-	 * other than IP and ARP traffic.  If the filter doesn't understand
-	 * IPv6, don't allow IPv6 through the bridge either.  This is lame
-	 * since if we really wanted, say, an AppleTalk filter, we are hosed,
-	 * but of course we don't have an AppleTalk filter to begin with.
-	 * (Note that since pfil doesn't understand ARP it will pass *ALL*
-	 * ARP traffic.)
-	 */
-	switch (ether_type) {
-		case ETHERTYPE_ARP:
-		case ETHERTYPE_REVARP:
-			return (0); /* Automatically pass */
-		case ETHERTYPE_IP:
-#ifdef INET6
-		case ETHERTYPE_IPV6:
-#endif /* INET6 */
-			break;
-		default:
-			/*
-			 * Check to see if the user wants to pass non-ip
-			 * packets, these will not be checked by pfil(9) and
-			 * passed unconditionally so the default is to drop.
-			 */
-			if (pfil_onlyip)
-				goto bad;
-	}
-
 	/* Strip off the Ethernet header and keep a copy. */
 	m_copydata(*mp, 0, ETHER_HDR_LEN, (caddr_t) &eh2);
 	m_adj(*mp, ETHER_HDR_LEN);
@@ -2836,9 +2806,14 @@ ipfwpass:
 	error = 0;
 
 	/*
-	 * Run the packet through pfil
+	 * Run the packet through pfil. (Note that since pfil doesn't understand
+	 * ARP it will pass *ALL* ARP traffic.)
 	 */
 	switch (ether_type) {
+	case ETHERTYPE_ARP:
+	case ETHERTYPE_REVARP:
+		return (0); /* Automatically pass */
+
 	case ETHERTYPE_IP:
 		/*
 		 * before calling the firewall, swap fields the same as
@@ -2930,7 +2905,14 @@ ipfwpass:
 		break;
 #endif
 	default:
-		error = 0;
+		/*
+		 * Check to see if the user wants to pass non-ip
+		 * packets.
+		 */
+		if (pfil_onlyip) {
+			error = -1;
+			goto bad;
+		}
 		break;
 	}