Re: finding optimal ipfw strategy

Hi All

Up this thread after few years :-)


Now I have following HW/SW setup:
- FreeBSD 12.3-STABLE r372089 GENERIC amd64
- Xeon(R) CPU E5-2470 v2 @ 2.40GHz
- ix0 hardware
- about 10-15 vlans like "vlan: 100 vlanpcp: 0 parent interface: ix0"
- and all vlans are bridged via bridgeX
- about 200 multicast streams (200K packets / 2G multicast traffic 
incoming via one vlan100)
- ipfw to allow/deny incoming/outgoing traffic on any vlanX:
   -- net.link.bridge.ipfw=1 -- to enable layer2 filtering (ARP)
   -- net.link.bridge.ipfw_arp=1 -- to filter ARP
   -- net.link.bridge.pfil_bridge=0 -- no filtering on bridgeX
   -- net.link.bridge.pfil_member=1 -- to filter in/out on bridged vlans
   -- net.link.ether.ipfw=1 -- to filter inter-vlan non IP packets like 
STP/CDP/etc


IPFW optimized strategy based on early messages but still in research :-)

Some things are working fine but some I still can't figure out.

As documented at ipfw(8) (part "PACKET FLOW") [bdg_forward] at lower 
layer so ALL packets bridged unconditionaly and I can't drop undesired 
incoming packets based on incoming vlan (like "deny ip from any to any 
in recv vlanX") _before_ they bridged ?

Then, if packet bridged all packets copied to all bridged vlans?

And only in [ip_output] undesired outgoing packets will be dropped ?


Is it possible to drop incoming packets _before_ they bridged?

-- 
CU,
Victor Gamov