Date: Tue, 06 Mar 2007 16:00:10 +0000 From: "Bruce M. Simpson" <bms@FreeBSD.org> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: rik@FreeBSD.org, freebsd-net@freebsd.org, glebius@FreeBSD.org, andre@FreeBSD.org, thompsa@FreeBSD.org Subject: Re: kern/109815: wrong interface identifier at pfil_hooks for vlans + if_bridge Message-ID: <45ED900A.7050208@FreeBSD.org> In-Reply-To: <20070306073945.GR57456@codelabs.ru> References: <E1HNbWw-000LoF-Bo@pobox.codelabs.ru> <45E9F1E8.2000802@inse.ru> <20070304062203.GL80319@codelabs.ru> <E1HNbWw-000LoF-Bo@pobox.codelabs.ru> <45E9F1E8.2000802@inse.ru> <20070304160613.GN80319@codelabs.ru> <45EB4915.1090703@FreeBSD.org> <20070305145647.GT80319@codelabs.ru> <45EC3EFD.3000301@FreeBSD.org> <20070306073945.GR57456@codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Eygene Ryabinkin wrote: > I am awfully sorry, but you're seem to be mistaken: Thanks for clarifying this. That'll be because I didn't read if_bridge that far. ;^) In my original message I was just looking at if_ethersubr.c. I need to make sure any changes which are made to if_bridge to deal with vlan problems are incorporated into bms_netdev so that after I commit M_PROMISC, it does the right thing. > if_bridge calls > the ipfw directly only for the L2 filtering (when the net.link.bridge.ipfw > is set to 1). This is processed by the block in if_bridge just > above to the 'ipfwpass' label. > > In bms_netdev, the behaviour of ether_demux() is unchanged. ip_dn_claim_rule() is called to determine if there is an IPFW (usually dummynet) rule for the input frame at ethernet level, if-and-only-if net.link.ether.ipfw is non-zero. I just committed some comments to clarify this and styled it the same as the check in ether_output_frame(). However -- the IPFW check in ether_demux() is *skipped* in bms_netdev if M_PROMISC is set. This is because we might drop packets which are destined for vlan_input() which flow in because the interface is IFF_PROMISC. Strictly speaking this bends the rules of dummynet, because if you have frames coming in due to promiscuous mode, which the rest of the stack doesn't expect, they won't be filtered by Dummynet pipes. > But the L3 filtering is done fully by the pfil hooks, as I understand > the code. Moreover, I am using 'pf' in my case, not the ipfw. > Yes, this is always the case for the upper layers. Regards, BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45ED900A.7050208>