Date: Fri, 1 Nov 2002 13:21:48 +0100 From: Thomas Gielfeldt <thomas@gielfeldt.dk> To: freebsd-net@freebsd.org Subject: Re:[2] Connecting two LANs via VPN and Filtering Message-ID: <MWMail.pbofdclh@host.none>
next in thread | raw e-mail | index | archive | help
Archie Cobbs <archie@dellroad.org> wrote on 01-11-02 00:14:06: > >Thomas Gielfeldt writes: >> So you probably have to filter via netgraph? > >This can be done with ng_bpf(4). > >-Archie > >__________________________________________________________________________ >Archie Cobbs * Packet Design * http://www.packetdesign.com Okay. I've tried to get an example (from ng_bpf man) up and running but it doesn't seem to work. I could extract that the ether.bridge script i use does the following: ngctl kill bnet0: >/dev/null 2>&1 ngctl kill tap0: >/dev/null 2>&1 ngctl kill rl1: >/dev/null 2>&1 ngctl kill rl1: >/dev/null 2>&1 ifconfig tap0 up || exit 1 ifconfig rl1 up || exit 1 ifconfig rl1 up || exit 1 ngctl mkpeer tap0: bridge lower link0 || exit 1 ngctl name tap0:lower bnet0 || exit 1 ngctl connect rl1: bnet0: lower link1 || exit 1 ngctl connect rl1: bnet0: upper link2 || exit 1 ngctl msg tap0: setpromisc 1 || exit 1 ngctl msg tap0: setautosrc 0 || exit 1 ngctl msg rl1: setpromisc 1 || exit 1 ngctl msg rl1: setautosrc 0 || exit 1 I'm not actually sure what this does, but the bridge works. (I',m not an expert on this so please bare with me) The input from the tap0 should be filtered in a way so that dhcp-requests are dropped. As I could understand, a bpf program takes a node, and creates two more nodes where the packets are sent to depending on whether they match the criterias or not. So what I probably want to do is to make such a bpf program and link the node where the dhcp-packets are NOT sent to the bridge instead of linking the tap0 directly. (Please correct me if I'm wrong). This would probably mean that these four lines should be changed and the bpf-node inserted somewhere. * ngctl mkpeer tap0: bridge lower link0 || exit 1 * ngctl name tap0:lower bnet0 || exit 1 * ngctl connect rl1: bnet0: lower link1 || exit 1 * ngctl connect rl1: bnet0: upper link2 || exit 1 I've tried to read the ng_bpf man but it didn't help that much. Well ... maybe I'm just stupid and need to have drawn in crayons.... so .... do you have any crayons? ;-) Thanks. /Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MWMail.pbofdclh>