From owner-freebsd-net@FreeBSD.ORG  Sun Nov 20 05:21:23 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2D4116A420
	for <freebsd-net@FreeBSD.org>; Sun, 20 Nov 2005 05:21:22 +0000 (GMT)
	(envelope-from ucsaba@freemail.hu)
Received: from fmx02.freemail.hu (fmx02.freemail.hu [195.228.245.52])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3426043D45
	for <freebsd-net@FreeBSD.org>; Sun, 20 Nov 2005 05:21:21 +0000 (GMT)
	(envelope-from ucsaba@freemail.hu)
Received: (qmail 6896 invoked from network); 19 Nov 2005 23:14:40 +0100
Received: from fm14.freemail.hu (195.228.245.114)
	by fmx02.freemail.hu with SMTP; 19 Nov 2005 23:14:39 +0100
Received: (qmail 58682 invoked by uid 227048); 19 Nov 2005 23:14:39 +0100
Date: Sat, 19 Nov 2005 23:14:39 +0100 (CET)
From: Csaba Urban <ucsaba@freemail.hu>
To: Andrew Thompson <thompsa@freebsd.org>
In-Reply-To: <20051119203337.GA804@heff.fud.org.nz>
Message-ID: <freemail.20051019231439.58673@fm14.freemail.hu>
X-Originating-IP: [62.68.174.63]
X-HTTP-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Freemail: message scanned
Cc: freebsd-net@FreeBSD.org
Subject: Re: PF rule on bridged interface won't match
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2005 05:21:23 -0000

The bridge would be a gateway for the hosts which are on member=20
interfaces. I would like to control which IP adresses they can use on a=20
particular interface (i.e. 192.168.1.5 on vlan1, etc.). It seems that it=20
won't work this way.

Anyway, it can be done using the old bridge but I think it would be=20
more convenient if packets destined for/ originated from the bridge=20
itself were also handled to pfil_hooks when entering/leaving member=20
interfaces.

Andrew Thompson <thompsa@freebsd.org> =EDrta:

> On Fri, Nov 18, 2005 at 03:50:42PM +0100, Csaba Urban wrote:
> > Hi,
> >=20
> > I can't have packets match on PF rules on a member of if_bridge if=20
it is=20
> > not bridged but comes from an other IP interface. Bridged packets=20
> > match correctly.
> >=20
> > bridge0: flags=3D8041<UP,RUNNING,MULTICAST> mtu 1500
> >         inet 192.168.1.1 netmask 0xffffffe0
> >         ether ac:de:48:af:bc:8f
> >         priority 32768 hellotime 2 fwddelay 15 maxage 20
> >         member: vlan3 flags=3D3<LEARNING,DISCOVER>
> >         member: vlan2 flags=3D3<LEARNING,DISCOVER>
> >         member: vlan1 flags=3D3<LEARNING,DISCOVER>
> >=20
> > PF rule:
> > pass in on vlan1 all
> > pass out on vlan1 all
> >=20
> > This rule matches only if traffic is bridged (goes directly layer2 from=
=20
> > vlan1 to vlan2 or vlan3). If it is delivered to the IP layer or it come=
s=20
from=20
> > there then it won't match.
>=20
> This is how its currently implemented. You can match locally generated
> packets on the bridge0 interface, is that sufficient for your setup?
>=20
>=20
> Andrew
> =0A=0A___________________________________________________________________=
____=0ARendelj k=E9pet =E9s nyerj=E9l g=E9pet a T-Online Fot=F3t=E1r=E1val =
december 15-ig.=0Ahttp://www.t-online.hu=0A=0A