Date: Sun, 7 Jun 1998 18:55:42 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: wollman@khavrinen.lcs.mit.edu, net@FreeBSD.ORG Subject: Re: Documenting sysctls (was: Re: kernfs/procfs questions...) Message-ID: <9806071855.ZM11380@beatrice.rutgers.edu> In-Reply-To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> "Re: Documenting sysctls (was: Re: kernfs/procfs questions...)" (Jun 6, 2:31am) References: <199806060031.CAA12468@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 6, 2:31am, Luigi Rizzo (possibly) wrote: > Allen Smith (easmith@beatrice.rutgers.edu) wrote: > > OK... but documentation as to what it does would still be nice, as > > per the thing (L2-filtering-bridging) that I mentioned. Does it > > indeed do what I thought it does? > > FreeBSD does not do any L2 bridging. There are two standalone > alternatives for that, my pcbridge code (available from my web page, > romable, but only supports ed-like cards) and the drawbridge stuff > at http://drawbridge.tamu.edu/ The code from your page doesn't appear to be currently accessible, so I can't check it out. The drawbridge stuff is inadequately configurable for firewall purposes. We may be dealing with a matter of semantics/definitions here, namely in what one defines as a bridge and what one defines as a router. The arrangement I'm considering is as follows: 1. The FreeBSD machine has the proxyall sysctl on, so that it tells other machines on the two (or more) sides of it that packets meant for machines on its other interfaces should be sent to its interface. 2. It also has IP Filter running, with the fastroute code being used to override all normal routing stuff, including things such as ttl decreases. This is used to relay any packets that should be let through from one interface to the other. E.g., if machines A and B are on interface 1, and the other machines are on interface 2, then any packet that comes into interface 2 that's for machine A or machine B (and, for the firewall application - thus the L2-filtering part of the bridging - is OK by the firewall rules) gets relayed to interface 1, going out to the machine it's intended for. 3. To the viewpoint of any other machine on the network, so long as it is simply using ARP to do its Ethernet stuff, the situation is the same as before - no reconfiguration for adding a router is needed, but it's still as configurable as it would be if it were a router. Given this, it looks to me more like a L2-filtering bridge than a router. > remember, acting as a bridge puts a lot of load on a machine because > it has to listen to all traffic on all interfaces. pcbridge saves > some work by only loading to memory the header of the packet and > throwing data away if the packet must not be forwarded, but a > solution using the generic FreeBSD device drivers would almost > surely have to load the entire packet to memory before working on > it. While I have considered the load problem - a reason that the machine we've gotten for this is a P233, despite that it's only handling 2 10-Base-T lines - it isn't nearly as much of a problem as it would be without the proxyarp effectively serving as a prefilter along with the normal ethernet hardware. It only gets packets in the first place that it needs to deal with - it doesn't need to filter them out later on. This setup is essentially for the case of when you have reasons not to want to rearrange the current router et al setup. We've got internal political problems (turf battles) with doing so, others (possibly also like us) may have old routers, etcetera. There's also the advantage that if the machine breaks down or is being reconfigured, in the meantime you can simply do the connection directly - not possible with a router. -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9806071855.ZM11380>