From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 08:52:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED55516A418 for ; Thu, 4 Oct 2007 08:52:20 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id A85B013C45B for ; Thu, 4 Oct 2007 08:52:20 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id D84F52E94D for ; Thu, 4 Oct 2007 04:52:19 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Thu, 04 Oct 2007 04:52:19 -0400 X-Sasl-enc: cqUl3sQpz4iduo6MXs8fs/oO3llOhTFhjY370BiGgxKT 1191487939 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id 3DE941639D for ; Thu, 4 Oct 2007 04:52:19 -0400 (EDT) Message-ID: <4704A9B5.8030805@casino.uni-stuttgart.de> Date: Thu, 04 Oct 2007 11:52:05 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> <20071002091610.GD38352@heff.fud.org.nz> <47021088.4090808@casino.uni-stuttgart.de> In-Reply-To: <47021088.4090808@casino.uni-stuttgart.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 08:52:21 -0000 Tobias Ernst schrieb: > I will try the patch from kern/116051 on my 6.2 sources, though. The > description says that it has been tested on 6.2, and hopefully 6.3 will > be out by the time my setup goes into production. For the interested audience: Applying this patch to 6.2 requires some modifications, but they are rather straightforward. My patch for 6.2 is below. After applying it, you can do sysctl net.link.bridge.pfil_local_phys=1 After that, packets destined for an IP address of the local firewall that is assigned to a bridge interface will show up in PF on the individual bridge member that they physically arrive on (e.g. em0) RATHER than on the bridge interface of which the physical interface is a member (e.g. bridge0). The packets will then be visible on the physical interface only, so if you were previously filtering on bridge0, you now have to adapt your rules to filter on each individual member interface. Many thanks to Andrew for pointing me in the right direction, and of course to Eygene for developing this patch. Regards Tobias *** if_bridge.c.ORIG Tue Oct 2 11:33:42 2007 --- if_bridge.c Tue Oct 2 15:01:09 2007 *************** *** 281,286 **** --- 281,287 ---- static int pfil_member = 1; /* run pfil hooks on the member interface */ static int pfil_ipfw = 0; /* layer2 filter with ipfw */ static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */ + static int pfil_local_phys = 0; /* PATCH show phys interface for bridge-destined packages */ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); SYSCTL_INT(_net_link_bridge, OID_AUTO, ipfw_arp, CTLFLAG_RW, *************** *** 289,294 **** --- 290,297 ---- &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, &pfil_member, 0, "Packet filter on the member interface"); + SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW, + &pfil_local_phys, 0, "Show physical interface for bridge-destined packets"); struct bridge_control { int (*bc_func)(struct bridge_softc *, void *); *************** *** 1984,1989 **** --- 1987,2006 ---- if (memcmp(eh->ether_dhost, IFP2ENADDR(bifp), ETHER_ADDR_LEN) == 0) { + /* Try to filter on the physical interface. + * + */ + if (pfil_local_phys && ((inet_pfil_hook.ph_busy_count >= 0) + #ifdef INET6 + || (inet6_pfil_hook.ph_busy_count >= 0) + #endif + )) { + if (bridge_pfil(&m, ifp, NULL, PFIL_IN)!=0 || + m == NULL) { + BRIDGE_UNLOCK(sc); + return NULL; + } + } /* * If the packet is for us, set the packets source as the * bridge, and return the packet back to ether_input for -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de