From owner-freebsd-net@FreeBSD.ORG Sat Apr 15 21:28:58 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39AC616A400 for ; Sat, 15 Apr 2006 21:28:58 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0428D43D70 for ; Sat, 15 Apr 2006 21:28:56 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 19599 invoked from network); 15 Apr 2006 21:28:53 -0000 Received: from unknown (HELO localhost) ([pbs]775067@[217.50.149.95]) (envelope-sender ) by smtprelay03.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 15 Apr 2006 21:28:53 -0000 Date: Sat, 15 Apr 2006 23:28:01 +0200 From: Fabian Keil To: Andrew Thompson Message-ID: <20060415232801.0dbbc8f4@localhost> In-Reply-To: <20060415195147.GA54638@heff.fud.org.nz> References: <200604142048.20189.doconnor@gsoft.com.au> <20060414140709.20c51ebc@localhost> <200604151053.25089.doconnor@gsoft.com.au> <20060415115352.1ef82bb1@localhost> <20060415195147.GA54638@heff.fud.org.nz> X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.6; i386-portbld-freebsd6.0) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2006-08-19.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_qBjUoB7fr8Elhev5xBezmo3; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: freebsd-net@freebsd.org Subject: Re: How to use if_bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Apr 2006 21:28:58 -0000 --Sig_qBjUoB7fr8Elhev5xBezmo3 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Andrew Thompson wrote: > On Sat, Apr 15, 2006 at 11:53:52AM +0200, Fabian Keil wrote: > > "Daniel O'Connor" wrote: > >=20 > > > On Friday 14 April 2006 21:37, Fabian Keil wrote: > >=20 > > > > Depending on your firewall setup you might have to disable > > > > some of the net.link.bridge sysctls as well. > > >=20 > > > I don't have any firewalls in the kernel for simplicity at this stage. > >=20 > > If I'm not mistaken you have to disable net.link.bridge.pfil_onlyip > > then. From the if_bridge man page: > >=20 > > |net.link.bridge.pfil_onlyip Set to 1 to only allow IP packets to > > | pass when packet filtering is enabled (su= bject to > > | firewall rules), set to 0 to unconditiona= lly > > | pass all non-IP Ethernet frames. > >=20 > > It's enabled by default. >=20 > It may not be entirely clear from the description but that sysctl only > has affect when packet filtering is enabled, both for the on and off > values. >=20 > At present there are only pfil(9) hooks for IP and IPv6 filters, the > knob contols what happens when filtering is enabled and the packet is > not IP so wont be inspected, is it passed or dropped. >=20 > I'll try and clarify the man page. Thanks. I always interpreted the sentence as "Set to 1 to allow IP packets = to pass only if packet filtering is enabled". I thought it should prevent the user from creating an unfiltered bridge by accident. Another thing regarding the man page: The example section has the following sentence "Such a con- figuration could be used to implement a simple 802.11-to-Ethernet bridge (assuming the 802.11 interface is in ad-hoc mode)." I don't get the meaning of the ad-hoc mode part. In my tests if_bridge worked in hostap mode as well, but failed in infrastructure mode. Could you clarify if (or why not) bridging in infrastructure mode should work? Fabian --=20 http://www.fabiankeil.de/ --Sig_qBjUoB7fr8Elhev5xBezmo3 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEQWVqjV8GA4rMKUQRAu7hAKC/e+dE1mgnjogB8LQ5lpm5n4w4NACaAgfR SwRmMiZ0VevqURJpmBQ+CiY= =/MY/ -----END PGP SIGNATURE----- --Sig_qBjUoB7fr8Elhev5xBezmo3--