Date: Sat, 13 Aug 2005 13:35:44 -0700 From: Julian Elischer <julian@elischer.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: Luigi Rizzo <rizzo@icir.org>, Jeremie Le Hen <jeremie@le-hen.org>, net@freebsd.org Subject: Re: 5.4 -- bridging, ipfw, dot1q Message-ID: <42FE59A0.5080602@elischer.org> In-Reply-To: <20050813044147.B61674@prime.gushi.org> References: <20050812042749.H87994@prime.gushi.org> <20050812063359.A14229@xorpc.icir.org> <20050812224956.GG45385@obiwan.tataz.chchile.org> <20050812170348.A20828@xorpc.icir.org> <20050813044147.B61674@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Mahoney, System Admin wrote: should be in -net not -hackers cc's changed accordingly.. > > After all, the demuxing is nothing more than ignoring a few extra bits > at the beginning of the packet. Which all my BPF stuff is doing nicely. > Snort, trafshow, etc all work fine and don't seem to choke on the extra > frames. > > I'd personally just be happy if ipfw was smart enough to know that if I > was using ip-type rules on something that's not ip...that it would > handle the demuxing automagically. > > i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1 > > or maybe > > i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan-as-inet > via em1 > > Hi Dan. What it comes down to is just that no-one who has worked in ipfw has had your particular problem to solve. O/S gets done when people have a particular problem to solve. As for demultiplexing, well, you COULD pass it out to a netgraph node that strips off the header and stores the info in a tag, and then passes it back to ipfw, but I don't know how the details would work. (I haven't been in ifpw since it was rewritten). Alternatively you could use netgraph bridging and tehnetgraph vlan node type to achieve some sort of stripping.. (Once again, I'm just pointing you in this direction, not providing a full answer.) In 6.x netgraph has more options for this sort of thing with a direct interface between ipfw and netgraph. So, if you want to fix it, you could either do some work on ipfw or do some work on netgraph, but either way you'll probably need to do some work. Julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42FE59A0.5080602>