Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Apr 2006 23:28:01 +0200
From:      Fabian Keil <freebsd-listen@fabiankeil.de>
To:        Andrew Thompson <thompsa@freebsd.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: How to use if_bridge
Message-ID:  <20060415232801.0dbbc8f4@localhost>
In-Reply-To: <20060415195147.GA54638@heff.fud.org.nz>
References:  <200604142048.20189.doconnor@gsoft.com.au> <20060414140709.20c51ebc@localhost> <200604151053.25089.doconnor@gsoft.com.au> <20060415115352.1ef82bb1@localhost> <20060415195147.GA54638@heff.fud.org.nz>

next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_qBjUoB7fr8Elhev5xBezmo3
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Andrew Thompson <thompsa@freebsd.org> wrote:

> On Sat, Apr 15, 2006 at 11:53:52AM +0200, Fabian Keil wrote:
> > "Daniel O'Connor" <doconnor@gsoft.com.au> wrote:
> >=20
> > > On Friday 14 April 2006 21:37, Fabian Keil wrote:
> >=20
> > > > Depending on your firewall setup you might have to disable
> > > > some of the net.link.bridge sysctls as well.
> > >=20
> > > I don't have any firewalls in the kernel for simplicity at this stage.
> >=20
> > If I'm not mistaken you have to disable net.link.bridge.pfil_onlyip
> > then. From the if_bridge man page:
> >=20
> > |net.link.bridge.pfil_onlyip  Set to 1 to only allow IP packets to
> > |                             pass when packet filtering is enabled (su=
bject to
> > |                             firewall rules), set to 0 to unconditiona=
lly
> > |                             pass all non-IP Ethernet frames.
> >=20
> > It's enabled by default.
>=20
> It may not be entirely clear from the description but that sysctl only
> has affect when packet filtering is enabled, both for the on and off
> values.
>=20
> At present there are only pfil(9) hooks for IP and IPv6 filters, the
> knob contols what happens when filtering is enabled and the packet is
> not IP so wont be inspected, is it passed or dropped.
>=20
> I'll try and clarify the man page.

Thanks. I always interpreted the sentence as "Set to 1 to allow IP packets =
to
pass only if packet filtering is enabled". I thought it should prevent the
user from creating an unfiltered bridge by accident.

Another thing regarding the man page:

The example section has the following sentence "Such a con-
figuration could be used to implement a simple 802.11-to-Ethernet bridge
(assuming the 802.11 interface is in ad-hoc mode)."

I don't get the meaning of the ad-hoc mode part. In my tests if_bridge
worked in hostap mode as well, but failed in infrastructure mode. Could
you clarify if (or why not) bridging in infrastructure mode should work?

Fabian
--=20
http://www.fabiankeil.de/

--Sig_qBjUoB7fr8Elhev5xBezmo3
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEQWVqjV8GA4rMKUQRAu7hAKC/e+dE1mgnjogB8LQ5lpm5n4w4NACaAgfR
SwRmMiZ0VevqURJpmBQ+CiY=
=/MY/
-----END PGP SIGNATURE-----

--Sig_qBjUoB7fr8Elhev5xBezmo3--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060415232801.0dbbc8f4>