Date: Sat, 27 Oct 2018 18:16:20 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: ipfw on bridge connecting vlans Message-ID: <36cd661e-ca54-be94-fd64-01ee768d5053@otcnet.ru>
next in thread | raw e-mail | index | archive | help
Hi All
I have some misunderstanding how ipfw work with VLAN and bridge
I have following config
bridge2
------------
/ | \
/ | \
/ | \
vlan200 vlan300 vlan400
(igb0) (igb0) (igb1)
=====
net.link.bridge.ipfw: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
net.link.ether.ipfw=1
=====
I need to allow some multicast from some vlans, block other multicast
and forward allowed multicast into other vlans
For example. Allow 239.0.0.10 received via vlan200 but block the same
239.0.0.10 if it comes via other vlan. Then bridge 239.0.0.10 into vlan400
The simplest ipfw rules for this example:
=====
table blockit create type iface
table blockit add vlan200
table blockit add vlan300
table blockit add vlan400
1000 allow ip from any to any via igb0
1002 allow ip from any to any via igb2
1100 deny ip from any to any mac-type 0x0806 via bridge2
1102 allow ip from any to any via bridge2
2000 allow ip from any to 239.0.0.10 in via vlan200
4000 allow ip from any to 239.0.0.10 out via vlan400
9000 deny ip from any to any via table(blockit)
65000 allow ip from any to any
=====
My expectations are follows:
1. ethernet packet tagged as VLAN-200 arrives igb0. This packet has igb0
as 'recv'. Packet checked by ipfw now so I need
1000 allow ip from any to any via igb0
1002 allow ip from any to any via igb2
2. ethernet packet untagged and checked by ipfw. This packet has vlan200
as 'recv' Packet pass 2000.
If dst-239.0.0.10 comes from vlan300 it blocked by 9000
3. IP-packet comes through if_bridge and checked by ipfw. ARP packet
blocked by 1100. Other packets pass via bridge2 by 1102
4. IP multicast packet copied to all bridge members and checked by ipfw
on all outgoing interfaces: packet pass 4000 on vlan400, but blocked by
9000 on vlan300. So only one bridge-member has this packet.
5. ethernet packet tagged as VLAN-400 and checked by ipfw. Packet pass
by 4000
6. tagged packet out via igb2 and checked by ipfw. packet pass by 1002
Can somebody explain me how tagged multicast packet goes via bridge and
passed into IPFW and correct my previous packet path?
Thanks!
--
CU
Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36cd661e-ca54-be94-fd64-01ee768d5053>