ipfw tags & filtering incoming broadcasts

[Andrey V. Elsukov]

> Hi!
> I have a router based on FreeBSD 6 running quagga/RIPv2
> and want to filter all incoming packets sent to it (not forwarded throught it)
> with a small set of exceptions. This router uses ipfw for packet filtering.

You can use "in recv" keywords to determine incoming packets.

> There is no problem to filter unicasts. But I want also block all
> broadcasts except of incoming RIPv2, some of hardware
> routers send broadcasts instead of multicasts here.
> I've tried this way:
> ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any

If you want use tags in the next rules, you should use `count' action 
instead of `allow'.

> ipfw add 40 allow ip from any to any layer2
> ipfw add 50 count log ip from any to any tagged 1
> I hoped that rule 30 would tag all broadcasts with tag 1 during layer2
> filtering pass and it'd keep its tag during layer3 filtering but it seems
> it doesn't. If I send a broadcast with ping <IP-broadcast>
> I see that rules 30 and 40 match this outgoing broadcast
> but rule 50 does not. Am I doing something wrong or
> is this behavour by design or is this a bug that deserve a PR?

If you want filter a RIPv2 packets, may be it's a good idea
to use src-port or dst-port 520 with udp protocol?

--
WBR, Andrey V. Elsukov