From owner-freebsd-bugs Fri Dec 22 11:50: 9 2000 From owner-freebsd-bugs@FreeBSD.ORG Fri Dec 22 11:50:01 2000 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 75BDD37B402 for ; Fri, 22 Dec 2000 11:50:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eBMJo1E14587; Fri, 22 Dec 2000 11:50:01 -0800 (PST) (envelope-from gnats) Resent-Date: Fri, 22 Dec 2000 11:50:01 -0800 (PST) Resent-Message-Id: <200012221950.eBMJo1E14587@freefall.freebsd.org> Resent-From: gnats-admin@FreeBSD.org (GNATS Management) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: gnats-admin@FreeBSD.org, joost@bps.eca-mail.org Received: from bps.eca-mail.org (c115139.upc-c.chello.nl [212.187.115.139]) by hub.freebsd.org (Postfix) with ESMTP id EE54337B400; Fri, 22 Dec 2000 11:42:44 -0800 (PST) Received: (from joost@localhost) by bps.eca-mail.org (8.11.1/8.11.1) id eBMJggO05347; Fri, 22 Dec 2000 20:42:42 +0100 (CET) (envelope-from joost) Message-Id: <200012221942.eBMJggO05347@bps.eca-mail.org> Date: Fri, 22 Dec 2000 20:42:42 +0100 (CET) From: Joost Bekkers Reply-To: joost@bps.eca-mail.org To: FreeBSD-gnats-submit@freebsd.org, FreeBSD-current@freebsd.org, joost@bps.eca-mail.org X-Send-Pr-Version: 3.2 Subject: kern/23771: bridge code doesn't work like the man page says Resent-Sender: gnats@FreeBSD.org Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23771 >Category: kern >Synopsis: bridge/firewall doesn't work as in bridge(4) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 22 11:50:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Joost Bekkers >Release: FreeBSD 4.2-RELEASE i386 >Organization: >Environment: 4.2 RELEASE with the options BRIDGE and IPFIREWALL. >Description: When using a kernel with BRIDGE and IPFIREWALL and not IPFIREWALL_DEFAULT_TO_ACCEPT, bridge(4) states all non-ip packets will not be forwarded. This is not true! All non-ip packets will be forwarded regardless of the firewall. >How-To-Repeat: make a kernel with BRIDGE and IPFIREWALL. generate non-ip (like arp or ipx) traffic and notice how it passes through the bridge. >Fix: I've added some options to make the bridge/firewall combo usefull. # $FreeBSD: src/sys/conf/options,v 1.191.2.20 2000/11/16 17:28:30 archie Exp $ *** conf/options~ Thu Dec 21 20:06:38 2000 --- conf/options Thu Dec 21 13:04:05 2000 *************** *** 220,225 **** --- 220,228 ---- BOOTP_NFSV3 opt_bootp.h BOOTP_WIRED_TO opt_bootp.h BRIDGE opt_bdg.h + BRIDGE_IP_ONLY opt_bdg.h + BRIDGE_ALLOW_ARP opt_bdg.h + BRIDGE_ALLOW_RARP opt_bdg.h ETHER_II opt_ef.h ETHER_8023 opt_ef.h ETHER_8022 opt_ef.h * $FreeBSD: src/sys/net/bridge.c,v 1.16.2.6 2000/09/25 17:30:01 nsayer Exp $ *** net/bridge.c~ Thu Dec 21 20:04:45 2000 --- net/bridge.c Thu Dec 21 20:44:41 2000 *************** *** 56,61 **** --- 56,71 ---- * option BRIDGE * and then at runtime set the sysctl variable to enable bridging. * + * If you want to combine a bridge with a firewall: + * option IPFIREWALL + * and since it usualy doesn't make a lot of sense to block ip and + * let all the other protocols pass freely, use + * option BRIDGE_IP_ONLY + * And because arp (and sometimes rarp) can be extremely usefull in + * an ip network + * option BRIDGE_ALLOW_ARP + * option BRIDGE_ALLOW_RARP + * * Only one interface is supposed to have addresses set (but * there are no problems in practice if you set addresses for more * than one interface). *************** *** 91,96 **** --- 101,107 ---- #include "opt_ipfw.h" #include "opt_ipdn.h" + #include "opt_bdg.h" #if defined(IPFIREWALL) #include *************** *** 445,450 **** --- 456,474 ---- bzero(ifp2sc, BDG_MAX_PORTS * sizeof(struct bdg_softc) ); bzero(&bdg_stats, sizeof(bdg_stats) ); + /* added by bps */ + printf("BRIDGING ENABLED" + #ifdef BRIDGE_IP_ONLY + " protocols ip" + #ifdef BRIDGE_ALLOW_ARP + ",arp" + #endif + #ifdef BRIDGE_ALLOW_RARP + ",rarp" + #endif + " only" + #endif + "\n"); bdgtakeifaces(); bdg_timeout(0); do_bridge=0; *************** *** 658,663 **** --- 682,688 ---- struct ip_fw_chain *rule = NULL ; int off; struct ip *ip ; + u_short frame_type; m = *m0 ; #ifdef DUMMYNET *************** *** 678,685 **** --- 703,729 ---- goto forward ; if (src == NULL) goto forward ; /* do not apply to packets from ether_output */ + frame_type=ntohs(eh->ether_type); + #ifdef BRIDGE_ALLOW_ARP + if (frame_type == ETHERTYPE_ARP) + goto forward ; /* BRIDGE_ALLOW_ARP is defined, so forward arp */ + #endif + #ifdef BRIDGE_ALLOW_RARP + if (frame_type == ETHERTYPE_REVARP) + goto forward ; /* BRIDGE_ALLOW_RARP is defined, so forward rarp */ + #endif if (ntohs(eh->ether_type) != ETHERTYPE_IP) + #ifdef BRIDGE_IP_ONLY /* we're bridging IP (and maybe arp/rarp) only */ + { + if (canfree) { + m_freem(*m0) ; + *m0 = NULL ; + } + return 0; + } + #else /* we're bridging everything */ goto forward ; /* not an IP packet, ipfw is not appropriate */ + #endif /* * In this section, canfree=1 means m is the same as *m0. * canfree==0 means m is a copy. We need to make a copy here >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message