Date: Fri, 1 Dec 2017 23:21:57 +0530 From: sandeep kiran p <sandeepkiranp@gmail.com> To: freebsd-ipfw@freebsd.org Subject: ipfw layer2 filtering with bridged traffic Message-ID: <CAAxGnDD93=f4wvLxFhv4NRPbLKs31iXs3-O5tqi77twN9ui3Qg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
We are running our applicaiton on FreeBSD 10.1. We have a bridge with two
interfaces attached and we are enabling packet filtering using ipfw
(net.link.bridge.ipfw=1). Somehow the IPFW rules that I create for bridged
(layer2) packets never seem to match. To see if IPFW sees any of the
bridged packets, I added a rule right at the beginning of the rules, "ipfw
add 5 count log ip from any to any layer2". But I dont see the count
increasing for this rule even though I see packets on the bridge.
Only when I enable net.link.ether.ipfw, I see the proper layer2 rules being
hit. I cant enable ether.ipfw on the system for some other limitation.
When I looked at the code, in file sys/netpfil/ipfw/ip_fw_pfil.c, I see the
following lines.
else if (V_fwlink_enable && ipfw_hook(1, AF_LINK) != 0) {
error = ENOENT;
printf("ipfw_link_hook() error\n");
}
where V_fwlink_enable points to the net.link.ether.ipfw flag. The above
code means that ipfw is hooked only if ether.ipfw flag is enabled. If my
understanding is correct, net.link.bridge.ipfw does not enable ipfw filter
to be hooked for layer2 data. Please correct me if I am wrong.
Is this an open issue or has it been corrected in later releases? As a fix,
I am thinking of modifying the above code to also include bridge.ipfw flag.
Something like
else if ((V_fwlink_enable || V_fwbridge_enable) && ipfw_hook(1,
AF_LINK) != 0) {
error = ENOENT;
printf("ipfw_link_hook() error\n");
}
where v_fwbridge_enable will be enabled when net.link.bridge.ipfw is set.
Thanks
Sandeep
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAxGnDD93=f4wvLxFhv4NRPbLKs31iXs3-O5tqi77twN9ui3Qg>