Date: Mon, 24 Feb 2003 11:30:52 +0100 From: Thomas <thomas@gielfeldt.dk> To: freebsd-net@freebsd.org Subject: Netgraph filtering bridge Message-ID: <5.2.0.9.0.20030224105350.00b6d760@mail.gielfeldt.dk>
next in thread | raw e-mail | index | archive | help
Hi All
I hope somebody out there can help me with a problem I'm having.
I wan't to make a filtering bridge. I've got the bridge working (using
netgraph), but I can't seem to implement filtering using a bpf node.
My current configuration of the bridge is as follows:
+---------------------------------+
| bnet0 (bridge) |
+---+----------+---+----------+---+
| | | | | |
| L | | L | | L |
| i | | i | | i |
| n | | n | | n |
| k | | k | | k |
| 0 | | 1 | | 2 |
| | | | | |
+---+ +---+ +---+
| | | | | |
| L | | U | | L |
| o | | p | | o |
| w | | p | | w |
| e | | e | | e |
| r | | r | | r |
| | | | | |
+-+---+-+ +-+---+-+ +-+---+-+
| rl0 | | rl0 | | tap0 |
+-------+ +-------+ +-------+
The tap0 device is the one I want to filter, preferably for both incoming
and outgoing if possible, but oneway filtering will suffice.
I was thinking of a setup somewhat like this:
+---------------------------------+
| bnet0 (bridge) |
+---+----------+---+----------+---+
| | | | | |
| L | | L | | L |
| i | | i | | i |
| n | | n | | n |
| k | | k | | k |
| 0 | | 1 | | 2 |
| | | | | |
+---+ +---+ +---+
| | | | | |
| L | | U | | M |
| o | | p | | a |
| w | | p | | t |
| e | | e | | c |
| r | | r | | h |
| | | | | H |
+-+---+-+ +-+---+-+ | o |
| rl0 | | rl0 | | o |
+-------+ +-------+ | k |
+-+---+-+-------------+
| bpf0 | NoMatchHook | -> (to nothingness)
+-+---+-+-------------+
| |
| t |
| h |
| i |
| s |
| H |
| o |
| o |
| k |
| |
+---+
| |
| L |
| o |
| w |
| e |
| r |
| |
+-+---+-+
| tap0 |
+-------+
However I'm not sure if that is the right way to implement it, since it
doesn't work. I've also tried using one2many to split tap0:lower into two
hooks, because I thought that the setup described above could only allow
for data being transmitted in one direction. But that did not work either.
I've used the shell script ether.bridge as a basis for the configuration. I
can mail the script I've made (it's not very big) in my next post if that
will help. This mail is big enough already as it is I think.
If someone has some suggestions, they would be much appreciated.
Thanks
Br,
Thomas Gielfeldt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030224105350.00b6d760>