Date: Tue, 25 Jan 2000 17:33:11 +0100 (CET) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: net@freebsd.org Subject: sysctl net.inet.ip.fw.enable ? Message-ID: <200001251633.RAA09122@info.iet.unipi.it>
next in thread | raw e-mail | index | archive | help
Hi, when you enable bridge_ipfw, (violating bridging vs. routing principles as someone said!), there is a side effect: packets which are both bridged _and_ forwarded to the local stack get through the firewall twice: once in the bridging code, once in the IP stack. This happens for instance with multicast traffic even if there is no local receiver for such traffic, and could have some annoying effects if you are using bridge_ipfw to do traffic shaping. I am not sure what is a good workaround, but one quick hack could be to introduce a sysctl variable, net.inet.ip.fw.enable which controls whether or not ipfw is used in the ip layer. I cannot come up with better ways at the moment, and this one is not totally satisfactory as if you have net.inet.ip.fw.enable=0 net.link.ether.bridge_ipfw=1 the packets to the local stack will NOT go through the firewall. Probably one ought to add an ipfw feature to be able to write rules which match only bridged packets (this is easy). Comments ? cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001251633.RAA09122>