From owner-freebsd-net  Sun Jun  7 15:56:47 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA18590
          for freebsd-net-outgoing; Sun, 7 Jun 1998 15:56:47 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA18574
          for <net@FreeBSD.ORG>; Sun, 7 Jun 1998 15:56:39 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (950413.SGI.8.6.12/950213.SGI.AUTOCF) id SAA11382; Sun, 7 Jun 1998 18:55:43 -0400
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9806071855.ZM11380@beatrice.rutgers.edu>
Date: Sun, 7 Jun 1998 18:55:42 -0400
In-Reply-To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>        "Re: Documenting sysctls (was: Re: kernfs/procfs questions...)" (Jun  6,  2:31am)
References: <199806060031.CAA12468@labinfo.iet.unipi.it>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Cc: wollman@khavrinen.lcs.mit.edu, net@FreeBSD.ORG
Subject: Re: Documenting sysctls (was: Re: kernfs/procfs questions...)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 6,  2:31am, Luigi Rizzo (possibly) wrote:
> Allen Smith (easmith@beatrice.rutgers.edu) wrote:
> > OK... but documentation as to what it does would still be nice, as
> > per the thing (L2-filtering-bridging) that I mentioned. Does it
> > indeed do what I thought it does?
> 
> FreeBSD does not do any L2 bridging. There are two standalone
> alternatives for that, my pcbridge code (available from my web page,
> romable, but only supports ed-like cards) and the drawbridge stuff
> at http://drawbridge.tamu.edu/

The code from your page doesn't appear to be currently accessible, so
I can't check it out. The drawbridge stuff is inadequately
configurable for firewall purposes.

We may be dealing with a matter of semantics/definitions here, namely
in what one defines as a bridge and what one defines as a router. The
arrangement I'm considering is as follows:


1. The FreeBSD machine has the proxyall sysctl on, so that it tells
   other machines on the two (or more) sides of it that packets meant
   for machines on its other interfaces should be sent to its
   interface.

2. It also has IP Filter running, with the fastroute code being used
   to override all normal routing stuff, including things such as ttl
   decreases. This is used to relay any packets that should be let
   through from one interface to the other. E.g., if machines A and B
   are on interface 1, and the other machines are on interface 2,
   then any packet that comes into interface 2 that's for machine A or
   machine B (and, for the firewall application - thus the
   L2-filtering part of the bridging - is OK by the firewall rules)
   gets relayed to interface 1, going out to the machine it's intended
   for.

3. To the viewpoint of any other machine on the network, so long as it
   is simply using ARP to do its Ethernet stuff, the situation is the
   same as before - no reconfiguration for adding a router is needed,
   but it's still as configurable as it would be if it were a
   router. Given this, it looks to me more like a L2-filtering bridge
   than a router.

> remember, acting as a bridge puts a lot of load on a machine because
> it has to listen to all traffic on all interfaces. pcbridge saves
> some work by only loading to memory the header of the packet and
> throwing data away if the packet must not be forwarded, but a
> solution using the generic FreeBSD device drivers would almost
> surely have to load the entire packet to memory before working on
> it.

While I have considered the load problem - a reason that the machine
we've gotten for this is a P233, despite that it's only handling 2
10-Base-T lines - it isn't nearly as much of a problem as it would be
without the proxyarp effectively serving as a prefilter along with the
normal ethernet hardware. It only gets packets in the first place that
it needs to deal with - it doesn't need to filter them out later on.

This setup is essentially for the case of when you have reasons not to
want to rearrange the current router et al setup. We've got
internal political problems (turf battles) with doing so, others
(possibly also like us) may have old routers, etcetera. There's also
the advantage that if the machine breaks down or is being
reconfigured, in the meantime you can simply do the connection
directly - not possible with a router.

	-Allen

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message