From owner-freebsd-net Mon Feb 24 2:31: 1 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DABE637B401 for ; Mon, 24 Feb 2003 02:30:58 -0800 (PST) Received: from rawdeal.mobilixnet.dk (rawdeal.mobilixnet.dk [212.97.204.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54B4F43F75 for ; Mon, 24 Feb 2003 02:30:55 -0800 (PST) (envelope-from thomas@gielfeldt.dk) Received: from DK1008.gielfeldt.dk (gw-it.mobilix.net [212.97.206.26]) by rawdeal.mobilixnet.dk (8.12.4/8.9.3) with ESMTP id h1OALkHh008161 for ; Mon, 24 Feb 2003 11:21:47 +0100 (CET) Message-Id: <5.2.0.9.0.20030224105350.00b6d760@mail.gielfeldt.dk> X-Sender: thomas@mail.gielfeldt.dk (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 24 Feb 2003 11:30:52 +0100 To: freebsd-net@freebsd.org From: Thomas Subject: Netgraph filtering bridge Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All I hope somebody out there can help me with a problem I'm having. I wan't to make a filtering bridge. I've got the bridge working (using netgraph), but I can't seem to implement filtering using a bpf node. My current configuration of the bridge is as follows: +---------------------------------+ | bnet0 (bridge) | +---+----------+---+----------+---+ | | | | | | | L | | L | | L | | i | | i | | i | | n | | n | | n | | k | | k | | k | | 0 | | 1 | | 2 | | | | | | | +---+ +---+ +---+ | | | | | | | L | | U | | L | | o | | p | | o | | w | | p | | w | | e | | e | | e | | r | | r | | r | | | | | | | +-+---+-+ +-+---+-+ +-+---+-+ | rl0 | | rl0 | | tap0 | +-------+ +-------+ +-------+ The tap0 device is the one I want to filter, preferably for both incoming and outgoing if possible, but oneway filtering will suffice. I was thinking of a setup somewhat like this: +---------------------------------+ | bnet0 (bridge) | +---+----------+---+----------+---+ | | | | | | | L | | L | | L | | i | | i | | i | | n | | n | | n | | k | | k | | k | | 0 | | 1 | | 2 | | | | | | | +---+ +---+ +---+ | | | | | | | L | | U | | M | | o | | p | | a | | w | | p | | t | | e | | e | | c | | r | | r | | h | | | | | | H | +-+---+-+ +-+---+-+ | o | | rl0 | | rl0 | | o | +-------+ +-------+ | k | +-+---+-+-------------+ | bpf0 | NoMatchHook | -> (to nothingness) +-+---+-+-------------+ | | | t | | h | | i | | s | | H | | o | | o | | k | | | +---+ | | | L | | o | | w | | e | | r | | | +-+---+-+ | tap0 | +-------+ However I'm not sure if that is the right way to implement it, since it doesn't work. I've also tried using one2many to split tap0:lower into two hooks, because I thought that the setup described above could only allow for data being transmitted in one direction. But that did not work either. I've used the shell script ether.bridge as a basis for the configuration. I can mail the script I've made (it's not very big) in my next post if that will help. This mail is big enough already as it is I think. If someone has some suggestions, they would be much appreciated. Thanks Br, Thomas Gielfeldt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message