misc/78090: ipf filtering on bridged packets doesn't work if ipfw
mk at neon1.net
Fri Feb 25 19:50:17 GMT 2005
>Synopsis: ipf filtering on bridged packets doesn't work if ipfw is loaded
>Arrival-Date: Fri Feb 25 19:50:16 GMT 2005
>Originator: Manuel Kasper
FreeBSD daemon5.neon1.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
If ipfw is loaded, then the net.link.ether.bridge.ipf option, which is designed to pass bridged packets to ipfilter, doesn't work: no ipfilter rules are applied. This happens even when net.link.ether.bridge.ipfw=0.
Closer examination of sys/net/bridge.c reveals that the whole pfil processing part of the code is skipped if IPFW_LOADED == true, in order to prevent ipfw from being called twice on a given packet (once through pfil, and once directly from bdg_forward).
Configure ipfilter to block packets, set up bridging between two interfaces. Make sure ipfw is not loaded. Observe that bridged packets are actually blocked by ipfilter. Load ipfw (leave net.link.ether.bridge.ipfw alone). Observe that packets are no longer blocked.
Packets should be tagged somehow in bdg_forward prior to sending them to pfil_run_hooks to make ipfw ignore them when it's called from pfil.
More information about the freebsd-bugs