Date: Wed, 26 Oct 2022 22:24:29 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: Re: finding optimal ipfw strategy Message-ID: <f354dccd-c912-db96-938c-0dc6f89e407c@otcnet.ru> In-Reply-To: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru> References: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi All Up this thread after few years :-) Now I have following HW/SW setup: - FreeBSD 12.3-STABLE r372089 GENERIC amd64 - Xeon(R) CPU E5-2470 v2 @ 2.40GHz - ix0 hardware - about 10-15 vlans like "vlan: 100 vlanpcp: 0 parent interface: ix0" - and all vlans are bridged via bridgeX - about 200 multicast streams (200K packets / 2G multicast traffic incoming via one vlan100) - ipfw to allow/deny incoming/outgoing traffic on any vlanX: -- net.link.bridge.ipfw=1 -- to enable layer2 filtering (ARP) -- net.link.bridge.ipfw_arp=1 -- to filter ARP -- net.link.bridge.pfil_bridge=0 -- no filtering on bridgeX -- net.link.bridge.pfil_member=1 -- to filter in/out on bridged vlans -- net.link.ether.ipfw=1 -- to filter inter-vlan non IP packets like STP/CDP/etc IPFW optimized strategy based on early messages but still in research :-) Some things are working fine but some I still can't figure out. As documented at ipfw(8) (part "PACKET FLOW") [bdg_forward] at lower layer so ALL packets bridged unconditionaly and I can't drop undesired incoming packets based on incoming vlan (like "deny ip from any to any in recv vlanX") _before_ they bridged ? Then, if packet bridged all packets copied to all bridged vlans? And only in [ip_output] undesired outgoing packets will be dropped ? Is it possible to drop incoming packets _before_ they bridged? -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f354dccd-c912-db96-938c-0dc6f89e407c>