From owner-freebsd-net@FreeBSD.ORG Fri Dec 17 14:28:25 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCE2416A4CE for ; Fri, 17 Dec 2004 14:28:25 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76C2E43D1D for ; Fri, 17 Dec 2004 14:28:25 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.202]) by borgtech.ca (Postfix) with ESMTP id 4E39254C3; Fri, 17 Dec 2004 14:29:30 +0000 (GMT) From: "Andrew Seguin" To: "'Nickolay A. Kritsky'" Date: Fri, 17 Dec 2004 15:28:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcTkNebPBHw78bmWRqC0ykNZst/C4AAC+Fhw In-Reply-To: <721371959296.20041217154130@star-sw.com> Message-Id: <20041217142930.4E39254C3@borgtech.ca> cc: freebsd-net@freebsd.org Subject: RE: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 14:28:25 -0000 Would changing over to RELENG_4 remove these headaches for me? Maybe if I patch the code you pointed out to be ETHERTYPE_VLAN instead of _IP, then ipfw will filter only VLAN traffic instead of IP traffic. This I would be willing to do until a patch became mainstream. So if the above works, I could just remove remote-console access and leave the box without an IP address, and IPFW would happily work with filters such as "deny ip from any to any $PORT"... Thank you for your help to date, I shall stay tuned to any other ideas! Andrew -----Original Message----- From: Nickolay A. Kritsky [mailto:nkritsky@star-sw.com] Sent: Friday, December 17, 2004 1:42 PM To: Andrew Seguin Cc: freebsd-net@freebsd.org Subject: Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault? Hello Andrew, Friday, December 17, 2004, 12:47:46 PM, Andrew Seguin wrote: ... I cannot say for sure, because I do not have any 5.x filtering bridge right now. But after reading some sources I think I understand what is happening: bdg_forward in bridge.c is calling ipfw or another packet filter: /* * NetBSD-style generic packet filter, pfil(9), hooks. * Enables ipf(8) in bridging. */ if (!IPFW_LOADED) { /* XXX: Prevent ipfw from being run twice. */ if (inet_pfil_hook.ph_busy_count >= 0 && m0->m_pkthdr.len >= sizeof(struct ip) && ntohs(save_eh.ether_type) == ETHERTYPE_IP) { Note the last line: for VLAN tagged packet the field save_eh.ether_type would be ETHERTYPE_VLAN instead of ETHERTYPE_IP and no filtering will take place. That is what I think is going on. Who is the current maintainer of bridge code in FreeBSD? -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004