finding optimal ipfw strategy

Eugene Grosbein eugen at grosbein.net
Wed Aug 28 15:49:00 UTC 2019 

28.08.2019 17:18, Victor Gamov wrote:

>> Why do you need to filter ARP on bridge? That's unusial. VLANs are
>> isolated by default and by definition, unless you explicitly enable
>> inter-vlan routing and setup your routing table.
> 
> May be I have some misunderstood here but...
> If I have many VLANs bridged via bridge interface then ARP received
> from one VLAN will be send to all bridge members.  So it will be send
> to all unwanted VLANs. Is it correct?

Yes. So, you really do not want any kind of unicast bridging at all
and use bridge as "poor man's" replacement for inter-vlan multicast routing, right?

In such case you could benefit from small patch that allows you to block ARP packets unconditionally
as if they were filtered by ipfw without really passing them through the ruleset.
Use sysctl net.link.bridge.ipfw_arp=-1 with the patch (untested):

--- if_bridge.c.orig	2019-04-19 17:20:09.724804000 +0700
+++ if_bridge.c	2019-08-28 22:35:14.788891000 +0700
@@ -3153,6 +3153,10 @@ bridge_pfil(struct mbuf **mp, struct ifn
 	switch (ether_type) {
 		case ETHERTYPE_ARP:
 		case ETHERTYPE_REVARP:
+			if (V_pfil_ipfw_arp == -1) {
+				error = 0;
+				goto bad;   /* Automatically drop */
+			}
 			if (V_pfil_ipfw_arp == 0)
 				return (0); /* Automatically pass */
 			break;



>> Anyway, you can skip entire ipfw pass over a bridge because you
>> filter its members anyway, so just drop ARP coming from any vlan with
>> exception of controlling one:
>>
>> allow ip from any to any layer2 mac-type 0x0806 in recv $controlvlan deny ip from any to any layer2 mac-type 0x0806 in allow ip from any
>> to any layer2
>>
>> And then disable filtering for bridge itself altogether. Decreasing
>> number of passes over ipfw should be your top priority because that's
>> what can provide you with most benefit. You should even rewrite your
>> ruleset if that is needed to achieve this goal.
> 
> If I set net.link.bridge.ipfw=0 but net.link.ether.ipfw and net.link.bridge.ipfw still set to 1
> is it still possible block unwanted ARP received from one VLAN and bridged to other on outgoing VLAN like
> 
> deny ip from any to any layer2 mac-type 0x0806 out xmit MAC not $mymac any
> 
> Is it correct and more effective than net.link.bridge.ipfw=1 if I have "deny mac-type 0x0806 via bridge" at rules top?

Yes. And anything decreasing number of traffic passes over entire ipfw ruleset is efficient.

More information about the freebsd-net mailing list