Date: Wed, 13 Sep 2006 16:58:31 +0200 From: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> To: freebsd-ipfw@freebsd.org Subject: Bridge Message-ID: <45081C97.1040206@ide.resurscentrum.se>
next in thread | raw e-mail | index | archive | help
Hi.
According to man if_bridge one could filter L2-traffic with ipfw:
From man if_bridge:
ARP and REVARP packets are forwarded without being filtered and others
that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is
enabled. IPFW can filter Ethernet types using mac-type so all packets
are passed to the filter for processing.
ARP is still forwarded though I have the following config:
I have the following sysctl set:
net.link.bridge.ipfw: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1
ipfw list:
65533 deny ip from any to any MAC any any
65534 deny ip from any to any layer2
65535 deny ip from any to any
ifconfig:
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::204:23ff:febd:2342%em0 prefixlen 64 scopeid 0x1
ether 00:04:23:bd:23:42
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
ether 00:04:23:bd:23:43
media: Ethernet autoselect
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
vlan1000: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::204:23ff:febd:2342%vlan1000 prefixlen 64 scopeid 0x5
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:04:23:bd:23:42
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 1000 parent interface: em0
vlan1001: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
inet6 fe80::204:23ff:febd:2342%vlan1001 prefixlen 64 scopeid 0x6
ether 00:04:23:bd:23:42
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 1001 parent interface: em0
vlan1002: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
inet6 fe80::204:23ff:febd:2342%vlan1002 prefixlen 64 scopeid 0x7
ether 00:04:23:bd:23:42
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 1002 parent interface: em0
bridge0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether ac:de:48:83:8d:c6
priority 32768 hellotime 2 fwddelay 15 maxage 20
member: vlan1002 flags=3<LEARNING,DISCOVER>
member: vlan1001 flags=3<LEARNING,DISCOVER>
member: vlan10 flags=3<LEARNING,DISCOVER>
vlan10: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
inet6 fe80::204:23ff:febd:2342%vlan10 prefixlen 64 scopeid 0x9
ether 00:04:23:bd:23:42
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 10 parent interface: em0
ARP-broadcast can still travel between member IFs in bridge0.
Have I missed something here? Do I have to use bridge instead of if_bridge?
/Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45081C97.1040206>