From owner-freebsd-net Wed May 29 12:50:11 2002 Delivered-To: freebsd-net@freebsd.org Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [192.161.36.5]) by hub.freebsd.org (Postfix) with ESMTP id 3328B37B416 for ; Wed, 29 May 2002 12:49:50 -0700 (PDT) Received: from stl-av-01.boeing.com ([192.76.190.6]) by blv-smtpout-01.boeing.com (8.9.2/8.8.5-M2) with ESMTP id MAA26581; Wed, 29 May 2002 12:47:24 -0700 (PDT) Received: from blv-hub-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.9.3/8.9.2/MBS-AV-01) with ESMTP id OAA28821; Wed, 29 May 2002 14:49:47 -0500 (CDT) Received: from xch-nwbh-02.nw.nos.boeing.com (xch-nwbh-02.nw.nos.boeing.com [192.54.12.28]) by blv-hub-01.boeing.com (8.11.3/8.11.3/MBS-LDAP-01) with ESMTP id g4TJnkH28561; Wed, 29 May 2002 12:49:46 -0700 (PDT) Received: by xch-nwbh-02.nw.nos.boeing.com with Internet Mail Service (5.5.2650.21) id ; Wed, 29 May 2002 12:49:46 -0700 Message-ID: From: "Albuquerque, Marcelo M" To: "'Luigi Rizzo'" Cc: "'freebsd-net@freeBSD.ORG'" Subject: RE: Does "xmit" work with ipfw dummynet? Date: Wed, 29 May 2002 12:49:35 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, May 29, 2002 at 09:35:12AM -0700, Albuquerque, > Marcelo M wrote: > > Thanks Luigi. > > > > > xmit cannot match on bridged packets > > > > Is it a hard problem to make xmit compatible with bridged > packets or is it > > in the place the ipfw filter are in the bridging code, the info > on the output interface is still not available, this is why xmit > does not match. Is there a place downstream where we could insert a check and match the output interface? > > > just that no one had the need yet to implement the changes? > Is there any way > > around this limitation that would allow us to achive the same goal? > > which is what ? you do not want to bridge between fxp0 and fxp1 ? We do want to bridge packets from fxp0 to fxp1 and at the same time have the firewall filter match both incoming and outgoing interfaces. > > luigi > > > > > xmit cannot match on bridged packets > > > > luigi > > > > > > > > Here is the setup: > > > > > > ___________________ > > > | | > > > 192.168.1.1 --- |FreeBSD 4.5 Bridge | --- 192.168.1.2 > > > |___________________| > > > | > > > | > > > 192.168.1.3 > > > > > > > > > This works: > > > ipfw add 100 deny ip from any to any in recv fxp0 > > > > > > This doesn't: > > > ipfw add 100 deny ip from any to any out xmit fxp1 > > > > > > What I really want, but fear is not supported, is: > > > ipfw add 100 deny ip from any to any out recv fxp0 xmit fxp1 > > > > > > That is, I want to block traffic coming in from fxp0 and going out > > > fxp1, in bridged mode. > > > > > > Anyone know if this is possible? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message