From owner-freebsd-net@freebsd.org Sat Oct 27 15:44:46 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D1E610C78C9 for ; Sat, 27 Oct 2018 15:44:46 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 130466F0D8 for ; Sat, 27 Oct 2018 15:44:45 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w9RFicaa068224 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 27 Oct 2018 17:44:38 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: vit@otcnet.ru Received: from [10.58.0.4] (dadv@[10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w9RFib2A068150 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 27 Oct 2018 22:44:37 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: ipfw on bridge connecting vlans To: Victor Gamov , freebsd-net@freebsd.org References: <36cd661e-ca54-be94-fd64-01ee768d5053@otcnet.ru> From: Eugene Grosbein Message-ID: <9b8d8c04-8e3e-b148-8a08-135d6ac1785d@grosbein.net> Date: Sat, 27 Oct 2018 22:44:35 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <36cd661e-ca54-be94-fd64-01ee768d5053@otcnet.ru> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 15:44:46 -0000 27.10.2018 22:16, Victor Gamov wrote: > > Hi All > > I have some misunderstanding how ipfw work with VLAN and bridge > > I have following config > > > bridge2 > ------------ > / | \ > / | \ > / | \ > vlan200 vlan300 vlan400 > (igb0) (igb0) (igb1) > > > ===== > net.link.bridge.ipfw: 1 > net.link.bridge.allow_llz_overlap: 0 > net.link.bridge.inherit_mac: 0 > net.link.bridge.log_stp: 0 > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 0 > net.link.bridge.ipfw_arp: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.pfil_onlyip: 0 > > net.link.ether.ipfw=1 > ===== > > > I need to allow some multicast from some vlans, block other multicast and forward allowed multicast into other vlans Your ruleset needs to differentiate packets based on name of incoming bridge member but you forgot to enable net.link.bridge.pfil_member=1. Enable it. Also note that change of net.link.bridge.ipfw from 0 to 1 disables net.link.bridge.{pfil_member|pfil_onlyip|pfil_bridge} but you are allowed to enable them after. net.link.bridge.pfil_member=1 makes frames enter ruleset as incoming from bridge member, zero disables this pass. net.link.bridge.ipfw=1 makes frames enter ruleset again as incoming from bridge interface itself without distinction of bridge member, and for forwarded frames enter ruleset one more time as outgoing from the bridge itself. And frame enters ruleset one MORE time as outgoing from bridge member if net.link.bridge.pfil_member=1.