From owner-freebsd-net@FreeBSD.ORG Sat Aug 13 20:35:48 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5641216A41F; Sat, 13 Aug 2005 20:35:48 +0000 (GMT) (envelope-from julian@elischer.org) Received: from delight.idiom.com (delight.idiom.com [216.240.32.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11F0543D45; Sat, 13 Aug 2005 20:35:47 +0000 (GMT) (envelope-from julian@elischer.org) Received: from idiom.com (idiom.com [216.240.32.1]) by delight.idiom.com (Postfix) with ESMTP id B75EA1F9EC8; Sat, 13 Aug 2005 13:35:47 -0700 (PDT) Received: from [192.168.2.2] (home.elischer.org [216.240.48.38]) by idiom.com (8.12.11/8.12.11) with ESMTP id j7DKZi82052024; Sat, 13 Aug 2005 13:35:45 -0700 (PDT) (envelope-from julian@elischer.org) Message-ID: <42FE59A0.5080602@elischer.org> Date: Sat, 13 Aug 2005 13:35:44 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050424 X-Accept-Language: en, hu MIME-Version: 1.0 To: "Dan Mahoney, System Admin" References: <20050812042749.H87994@prime.gushi.org> <20050812063359.A14229@xorpc.icir.org> <20050812224956.GG45385@obiwan.tataz.chchile.org> <20050812170348.A20828@xorpc.icir.org> <20050813044147.B61674@prime.gushi.org> In-Reply-To: <20050813044147.B61674@prime.gushi.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Luigi Rizzo , Jeremie Le Hen , net@freebsd.org Subject: Re: 5.4 -- bridging, ipfw, dot1q X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2005 20:35:48 -0000 Dan Mahoney, System Admin wrote: should be in -net not -hackers cc's changed accordingly.. > > After all, the demuxing is nothing more than ignoring a few extra bits > at the beginning of the packet. Which all my BPF stuff is doing nicely. > Snort, trafshow, etc all work fine and don't seem to choke on the extra > frames. > > I'd personally just be happy if ipfw was smart enough to know that if I > was using ip-type rules on something that's not ip...that it would > handle the demuxing automagically. > > i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1 > > or maybe > > i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan-as-inet > via em1 > > Hi Dan. What it comes down to is just that no-one who has worked in ipfw has had your particular problem to solve. O/S gets done when people have a particular problem to solve. As for demultiplexing, well, you COULD pass it out to a netgraph node that strips off the header and stores the info in a tag, and then passes it back to ipfw, but I don't know how the details would work. (I haven't been in ifpw since it was rewritten). Alternatively you could use netgraph bridging and tehnetgraph vlan node type to achieve some sort of stripping.. (Once again, I'm just pointing you in this direction, not providing a full answer.) In 6.x netgraph has more options for this sort of thing with a direct interface between ipfw and netgraph. So, if you want to fix it, you could either do some work on ipfw or do some work on netgraph, but either way you'll probably need to do some work. Julian