Date: Fri, 2 Feb 2001 20:10:59 +0100 From: Hroi Sigurdsson <hroi@netgroup.dk> To: "Thomas T. Veldhouse" <veldy@veldy.net> Cc: freebsd-stable@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bridge and IPFW woes ... Message-ID: <20010202201059.A48414@chewbacca.netgroup.dk> In-Reply-To: <006801c08d39$6974f9e0$3028680a@tgt.com>; from veldy@veldy.net on Fri, Feb 02, 2001 at 10:58:48AM -0600 References: <006801c08d39$6974f9e0$3028680a@tgt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 02, 2001 at 10:58:48AM -0600, Thomas T. Veldhouse wrote:
> If I change the bridging code over to NETGRAPH - this scenario does not
> happen. All communication works just fine between all the hosts and the
> Internet, however, all firewall rules that would apply to Host B and C seem
> to quit working. In other words - all the hosts, except for Host A, are
> left completely unprotected. I have tried using IPFILTER with both the in
> kernel bridging code and NETGRAPH and have come to the same conclusion.
> There is no way to filter the bridged packets.
Netgraph doesn't support ipfw. It is in the TODO and look at this
from sys/netgraph/ng_bridge.c:
/* Run packet through ipfw processing, if enabled */
if (priv->conf.ipfw[linkNum] && fw_enable && ip_fw_chk_ptr != NULL) {
/* XXX not implemented yet */
}
It would be really nice to have code in there instead of that comment
or a seperate ipfw netgraph node altogether :-)
I've been reading through some of the netgraph code and it is a
beautiful thing to behold.
--
Hroi Sigurdsson hroi@netgroup.dk
Netgroup A/S http://www.netgroup.dk
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010202201059.A48414>