From owner-freebsd-net@FreeBSD.ORG  Mon Dec 11 22:15:29 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1D7BD16A50E
	for <freebsd-net@freebsd.org>; Mon, 11 Dec 2006 22:15:29 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3C09B43E7F
	for <freebsd-net@freebsd.org>; Mon, 11 Dec 2006 22:05:15 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 51220 invoked from network); 11 Dec 2006 21:53:52 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
	(envelope-sender <andre@freebsd.org>)
	by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
	for <julian@elischer.org>; 11 Dec 2006 21:53:52 -0000
Message-ID: <457DD658.7010707@freebsd.org>
Date: Mon, 11 Dec 2006 23:06:16 +0100
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Julian Elischer <julian@elischer.org>
References: <457DCD47.5090004@elischer.org>
In-Reply-To: <457DCD47.5090004@elischer.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Re: addition to ipfw..
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2006 22:15:29 -0000

Julian Elischer wrote:
> 
> in ipfw layer 2 processing, the packet is passed to the firewall
> as if it was a layer 3 IP packet but the ether header is also made 
> available.
> 
> I would like  to add something similar in the case where a vlan tag
> is also on the packet..
> 
> basically I have a change where:
> 
> If we are processing layer 2 packets (in ether or bridge code)
> AND a sysctl says to do it,
> and it is a vlan packet,
> 
> Then the vlan header is also held back so that the packet can be
> processed and examined as an IP packet. It is
> (in the same way the ether header is) reattached when the packet is
> accepted.
> 
> This allows me to filter packets that are traversing my bridge,
> even though they are encapsulated in a vlan.
> 
> I have patches to allow this. I need this function. does anyone else?

Please have the ipfw code examine the vlan tag in the mbuf instead of
fiddling with the mbuf contents.

-- 
Andre