From owner-freebsd-net  Tue Jan 25  8:32:52 2000
Delivered-To: freebsd-net@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id D3DA014FC3
	for <net@freebsd.org>; Tue, 25 Jan 2000 08:32:42 -0800 (PST)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id RAA09122;
	Tue, 25 Jan 2000 17:33:11 +0100 (CET)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200001251633.RAA09122@info.iet.unipi.it>
Subject: sysctl net.inet.ip.fw.enable ?
To: net@freebsd.org
Date: Tue, 25 Jan 2000 17:33:11 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

when you enable bridge_ipfw, (violating bridging vs. routing
principles as someone said!), there is a side effect: packets
which are both bridged _and_ forwarded to the local stack
get through the firewall twice: once in the bridging
code, once in the IP stack.

This happens for instance with multicast traffic even if there
is no local receiver for such traffic, and could have some
annoying effects if you are using bridge_ipfw to do traffic shaping.

I am not sure what is a good workaround, but one quick hack
could be to introduce a sysctl variable,

	net.inet.ip.fw.enable

which controls whether or not ipfw is used in the ip layer.

I cannot come up with better ways at the moment, and this
one is not totally satisfactory as if you have

	net.inet.ip.fw.enable=0
	net.link.ether.bridge_ipfw=1

the packets to the local stack will NOT go through the
firewall. Probably one ought to add an ipfw feature to be able to
write rules which match only bridged packets (this is easy).

Comments ?

	cheers
	luigi
-----------------------------------+-------------------------------------
  Luigi RIZZO, luigi@iet.unipi.it  . Dip. di Ing. dell'Informazione
  http://www.iet.unipi.it/~luigi/  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)
  Mobile   +39-347-0373137
-----------------------------------+-------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message