Date: Fri, 15 Dec 2000 00:25:15 -0500 From: Clark Gaylord <cgaylord@vt.edu> To: Luigi Rizzo <rizzo@aciri.org> Cc: freebsd-net@freebsd.org Subject: Re: non-learning bridge for pathological network Message-ID: <20001215002514.C84586@cgaylord.async.vt.edu> In-Reply-To: <200012150344.eBF3i3592156@iguana.aciri.org>; from rizzo@aciri.org on Thu, Dec 14, 2000 at 07:44:03PM -0800 References: <20001214222838.B84586@cgaylord.async.vt.edu> <200012150344.eBF3i3592156@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Luigi -- Thank you for your response. Btw, I've been reading over the bridge code ... many thanks for this valuable resource! The problem with the "just let it be a router" approach is that I want all traffic from B to go to A and C, not just that which is actually intended for said net (yes all can be considered nets). I.e., a packet destined for A should be forwarded to C as well as A. I do not see a way to do this by being a router. OTOH, a non-learning bridge (or pretending the destination is UNKNOWN ... my hack to labotomize the bridge) does this. If there is another way to perform this "forward to multiple interfaces", I'd be happy to hear what you think. The point of clobbering ARPs is an interesting one; I'll have to think about that a bit. I think I can just use static ARP tables for the labs in question. The subnet-broadcast IP packets would still have source address from A, say, so maybe some interface- specific denies, e.g.: deny from A via ifC instead of deny from A to C I still get confused with via. Clark On Thu, Dec 14, 2000 at 07:44:03PM -0800, Luigi Rizzo wrote: > if you want to use bridging and you know the IPs of the hosts on > "networks" A, B, and C (which is what you need to use the 'deny' > rules) you do not need to hack bridge.c > > On the other hand, your solution will not block ARPs and subnet-broadcast > packets, so i really think the best solution is to use 3 real > subnets for A B and C (i.e. different address ranges), set the > machine to act as a router (net.inet.ip.forwarding=1) and block > traffic between A and C using the firewall below. No bridging or > messing with the kernel involved > > cheers > luigi > > > I am interested in creating a pathological lab network with the > > following forwarding rules: > > - three networks (A,B,C) > > - packets from A or C are forwarded to B > > - packets from B are forward to both A and C > > > > I was thinking of using BRIDGE+ipfw to create this by hacking > > bridge.c so that all dsts are UNKNOWN, then filtering via ipfw by > > deny ip from A to C > > deny ip from C to A > > > > Seems like this would work, but I was wondering what others' thoughts > > might be on this approach. Perhaps BRIDGE could have a (compile-time?) > > non-learning flag so that all packets get forwarded as if they are > > UNKNOWN. > > > > Oh, btw, I also want tcpdump to work on any of these interfaces. ;-) > > > > Thanks. > > Clark > > cgaylord@vt.edu > > > > > > ----- End forwarded message ----- > > > > -- > > Clark K. Gaylord > > Blacksburg, Virginia USA > > cgaylord@vt.edu > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > -- Clark K. Gaylord Blacksburg, Virginia USA cgaylord@vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001215002514.C84586>