From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 04:48:49 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6752316A4D4 for ; Thu, 14 Sep 2006 04:48:49 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from grunt8.ihug.co.nz (grunt8.ihug.co.nz [203.109.254.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDE8543D58 for ; Thu, 14 Sep 2006 04:48:48 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz) [203.109.251.39] by grunt8.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1GNj9X-0001rH-00; Thu, 14 Sep 2006 16:48:43 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 9A3A91CC23; Thu, 14 Sep 2006 16:48:42 +1200 (NZST) Date: Thu, 14 Sep 2006 16:48:42 +1200 From: Andrew Thompson To: Eygene Ryabinkin Message-ID: <20060914044842.GC35371@heff.fud.org.nz> References: <45084BBD.7090903@ide.resurscentrum.se> <20060914042010.GA35371@heff.fud.org.nz> <20060914043802.GZ1221@codelabs.ru> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline In-Reply-To: <20060914043802.GZ1221@codelabs.ru> User-Agent: Mutt/1.5.11 Cc: freebsd-net@freebsd.org, Jon Otterholm Subject: Re: Bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 04:48:49 -0000 --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Sep 14, 2006 at 08:38:02AM +0400, Eygene Ryabinkin wrote: > Andrew, good day! > > > The check for ARP happens before the ipfw layer2 code so it isnt > > currently possible to filter them. > > > > switch (ether_type) { > > case ETHERTYPE_ARP: > > case ETHERTYPE_REVARP: > > return (0); /* Automatically pass */ > I am a bit confused because in the another thread (also created by > Jon Otterholm) you've answered that > ----- > The only way that you will be able to filter ARP packets is by setting > pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering. > ----- > citing the same code. Am I understand something incorrectly or these > two answers do contradict with each other? Yes, thats just me being stupid :) My first answer to Jon was not correct, you can not currently filter ARP. I have attached a patch that should make this possible my rearranging things. Thanks for pointing it out. Andrew --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="bridge_filterarp.diff" Index: if_bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_bridge.c,v retrieving revision 1.79 diff -u -p -r1.79 if_bridge.c --- if_bridge.c 25 Aug 2006 20:11:56 -0000 1.79 +++ if_bridge.c 14 Sep 2006 04:38:50 -0000 @@ -490,11 +490,9 @@ sysctl_pfil_ipfw(SYSCTL_HANDLER_ARGS) /* * Disable pfil so that ipfw doesnt run twice, if the user * really wants both then they can re-enable pfil_bridge and/or - * pfil_member. Also allow non-ip packets as ipfw can filter by - * layer2 type. + * pfil_member. */ if (pfil_ipfw) { - pfil_onlyip = 0; pfil_bridge = 0; pfil_member = 0; } @@ -2736,34 +2734,6 @@ bridge_pfil(struct mbuf **mp, struct ifn } } - /* - * If we're trying to filter bridge traffic, don't look at anything - * other than IP and ARP traffic. If the filter doesn't understand - * IPv6, don't allow IPv6 through the bridge either. This is lame - * since if we really wanted, say, an AppleTalk filter, we are hosed, - * but of course we don't have an AppleTalk filter to begin with. - * (Note that since pfil doesn't understand ARP it will pass *ALL* - * ARP traffic.) - */ - switch (ether_type) { - case ETHERTYPE_ARP: - case ETHERTYPE_REVARP: - return (0); /* Automatically pass */ - case ETHERTYPE_IP: -#ifdef INET6 - case ETHERTYPE_IPV6: -#endif /* INET6 */ - break; - default: - /* - * Check to see if the user wants to pass non-ip - * packets, these will not be checked by pfil(9) and - * passed unconditionally so the default is to drop. - */ - if (pfil_onlyip) - goto bad; - } - /* Strip off the Ethernet header and keep a copy. */ m_copydata(*mp, 0, ETHER_HDR_LEN, (caddr_t) &eh2); m_adj(*mp, ETHER_HDR_LEN); @@ -2836,9 +2806,14 @@ ipfwpass: error = 0; /* - * Run the packet through pfil + * Run the packet through pfil. (Note that since pfil doesn't understand + * ARP it will pass *ALL* ARP traffic.) */ switch (ether_type) { + case ETHERTYPE_ARP: + case ETHERTYPE_REVARP: + return (0); /* Automatically pass */ + case ETHERTYPE_IP: /* * before calling the firewall, swap fields the same as @@ -2930,7 +2905,14 @@ ipfwpass: break; #endif default: - error = 0; + /* + * Check to see if the user wants to pass non-ip + * packets. + */ + if (pfil_onlyip) { + error = -1; + goto bad; + } break; } --LZvS9be/3tNcYl/X--