Date: Thu, 14 Sep 2006 16:48:42 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-net@freebsd.org, Jon Otterholm <jon.otterholm@ide.resurscentrum.se> Subject: Re: Bridge Message-ID: <20060914044842.GC35371@heff.fud.org.nz> In-Reply-To: <20060914043802.GZ1221@codelabs.ru> References: <45084BBD.7090903@ide.resurscentrum.se> <20060914042010.GA35371@heff.fud.org.nz> <20060914043802.GZ1221@codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Thu, Sep 14, 2006 at 08:38:02AM +0400, Eygene Ryabinkin wrote:
> Andrew, good day!
>
> > The check for ARP happens before the ipfw layer2 code so it isnt
> > currently possible to filter them.
> >
> > switch (ether_type) {
> > case ETHERTYPE_ARP:
> > case ETHERTYPE_REVARP:
> > return (0); /* Automatically pass */
> I am a bit confused because in the another thread (also created by
> Jon Otterholm) you've answered that
> -----
> The only way that you will be able to filter ARP packets is by setting
> pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering.
> -----
> citing the same code. Am I understand something incorrectly or these
> two answers do contradict with each other?
Yes, thats just me being stupid :)
My first answer to Jon was not correct, you can not currently filter
ARP. I have attached a patch that should make this possible my
rearranging things.
Thanks for pointing it out.
Andrew
--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="bridge_filterarp.diff"
Index: if_bridge.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if_bridge.c,v
retrieving revision 1.79
diff -u -p -r1.79 if_bridge.c
--- if_bridge.c 25 Aug 2006 20:11:56 -0000 1.79
+++ if_bridge.c 14 Sep 2006 04:38:50 -0000
@@ -490,11 +490,9 @@ sysctl_pfil_ipfw(SYSCTL_HANDLER_ARGS)
/*
* Disable pfil so that ipfw doesnt run twice, if the user
* really wants both then they can re-enable pfil_bridge and/or
- * pfil_member. Also allow non-ip packets as ipfw can filter by
- * layer2 type.
+ * pfil_member.
*/
if (pfil_ipfw) {
- pfil_onlyip = 0;
pfil_bridge = 0;
pfil_member = 0;
}
@@ -2736,34 +2734,6 @@ bridge_pfil(struct mbuf **mp, struct ifn
}
}
- /*
- * If we're trying to filter bridge traffic, don't look at anything
- * other than IP and ARP traffic. If the filter doesn't understand
- * IPv6, don't allow IPv6 through the bridge either. This is lame
- * since if we really wanted, say, an AppleTalk filter, we are hosed,
- * but of course we don't have an AppleTalk filter to begin with.
- * (Note that since pfil doesn't understand ARP it will pass *ALL*
- * ARP traffic.)
- */
- switch (ether_type) {
- case ETHERTYPE_ARP:
- case ETHERTYPE_REVARP:
- return (0); /* Automatically pass */
- case ETHERTYPE_IP:
-#ifdef INET6
- case ETHERTYPE_IPV6:
-#endif /* INET6 */
- break;
- default:
- /*
- * Check to see if the user wants to pass non-ip
- * packets, these will not be checked by pfil(9) and
- * passed unconditionally so the default is to drop.
- */
- if (pfil_onlyip)
- goto bad;
- }
-
/* Strip off the Ethernet header and keep a copy. */
m_copydata(*mp, 0, ETHER_HDR_LEN, (caddr_t) &eh2);
m_adj(*mp, ETHER_HDR_LEN);
@@ -2836,9 +2806,14 @@ ipfwpass:
error = 0;
/*
- * Run the packet through pfil
+ * Run the packet through pfil. (Note that since pfil doesn't understand
+ * ARP it will pass *ALL* ARP traffic.)
*/
switch (ether_type) {
+ case ETHERTYPE_ARP:
+ case ETHERTYPE_REVARP:
+ return (0); /* Automatically pass */
+
case ETHERTYPE_IP:
/*
* before calling the firewall, swap fields the same as
@@ -2930,7 +2905,14 @@ ipfwpass:
break;
#endif
default:
- error = 0;
+ /*
+ * Check to see if the user wants to pass non-ip
+ * packets.
+ */
+ if (pfil_onlyip) {
+ error = -1;
+ goto bad;
+ }
break;
}
--LZvS9be/3tNcYl/X--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914044842.GC35371>