From owner-freebsd-net@FreeBSD.ORG  Mon Dec 11 21:52:07 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A9BFC16A492
	for <freebsd-net@freebsd.org>; Mon, 11 Dec 2006 21:52:07 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from outI.internet-mail-service.net (outI.internet-mail-service.net
	[216.240.47.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3D299446E0
	for <freebsd-net@freebsd.org>; Mon, 11 Dec 2006 21:26:33 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from shell.idiom.com (HELO idiom.com) (216.240.47.20)
	by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP;
	Mon, 11 Dec 2006 13:12:59 -0800
Received: from [10.251.18.229] (nat.ironport.com [63.251.108.100])
	by idiom.com (8.12.11/8.12.11) with ESMTP id kBBLRiFj035768
	for <freebsd-net@freebsd.org>; Mon, 11 Dec 2006 13:27:44 -0800 (PST)
	(envelope-from julian@elischer.org)
Message-ID: <457DCD47.5090004@elischer.org>
Date: Mon, 11 Dec 2006 13:27:35 -0800
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025)
MIME-Version: 1.0
To: FreeBSD Net <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: addition to ipfw..
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2006 21:52:07 -0000


in ipfw layer 2 processing, the packet is passed to the firewall
as if it was a layer 3 IP packet but the ether header is also made 
available.

I would like  to add something similar in the case where a vlan tag
is also on the packet..

basically I have a change where:

If we are processing layer 2 packets (in ether or bridge code)
AND a sysctl says to do it,
and it is a vlan packet,

Then the vlan header is also held back so that the packet can be
processed and examined as an IP packet. It is
(in the same way the ether header is) reattached when the packet is
accepted.

This allows me to filter packets that are traversing my bridge,
even though they are encapsulated in a vlan.

I have patches to allow this. I need this function. does anyone else?


Julian