Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 19 Nov 2005 23:14:39 +0100 (CET)
From:      Csaba Urban <ucsaba@freemail.hu>
To:        Andrew Thompson <thompsa@freebsd.org>
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: PF rule on bridged interface won't match
Message-ID:  <freemail.20051019231439.58673@fm14.freemail.hu>
In-Reply-To: <20051119203337.GA804@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help 
The bridge would be a gateway for the hosts which are on member=20
interfaces. I would like to control which IP adresses they can use on a=20
particular interface (i.e. 192.168.1.5 on vlan1, etc.). It seems that it=20
won't work this way.

Anyway, it can be done using the old bridge but I think it would be=20
more convenient if packets destined for/ originated from the bridge=20
itself were also handled to pfil_hooks when entering/leaving member=20
interfaces.

Andrew Thompson <thompsa@freebsd.org> =EDrta:

> On Fri, Nov 18, 2005 at 03:50:42PM +0100, Csaba Urban wrote:
> > Hi,
> >=20
> > I can't have packets match on PF rules on a member of if_bridge if=20
it is=20
> > not bridged but comes from an other IP interface. Bridged packets=20
> > match correctly.
> >=20
> > bridge0: flags=3D8041<UP,RUNNING,MULTICAST> mtu 1500
> >         inet 192.168.1.1 netmask 0xffffffe0
> >         ether ac:de:48:af:bc:8f
> >         priority 32768 hellotime 2 fwddelay 15 maxage 20
> >         member: vlan3 flags=3D3<LEARNING,DISCOVER>
> >         member: vlan2 flags=3D3<LEARNING,DISCOVER>
> >         member: vlan1 flags=3D3<LEARNING,DISCOVER>
> >=20
> > PF rule:
> > pass in on vlan1 all
> > pass out on vlan1 all
> >=20
> > This rule matches only if traffic is bridged (goes directly layer2 from=
=20
> > vlan1 to vlan2 or vlan3). If it is delivered to the IP layer or it come=
s=20
from=20
> > there then it won't match.
>=20
> This is how its currently implemented. You can match locally generated
> packets on the bridge0 interface, is that sufficient for your setup?
>=20
>=20
> Andrew
> =0A=0A___________________________________________________________________=
____=0ARendelj k=E9pet =E9s nyerj=E9l g=E9pet a T-Online Fot=F3t=E1r=E1val =
december 15-ig.=0Ahttp://www.t-online.hu=0A=0A

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?freemail.20051019231439.58673>