Date: Sun, 16 Apr 2006 07:51:47 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Fabian Keil <freebsd-listen@fabiankeil.de> Cc: Daniel O'Connor <doconnor@gsoft.com.au>, freebsd-net@freebsd.org Subject: Re: How to use if_bridge Message-ID: <20060415195147.GA54638@heff.fud.org.nz> In-Reply-To: <20060415115352.1ef82bb1@localhost> References: <200604142048.20189.doconnor@gsoft.com.au> <20060414140709.20c51ebc@localhost> <200604151053.25089.doconnor@gsoft.com.au> <20060415115352.1ef82bb1@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 15, 2006 at 11:53:52AM +0200, Fabian Keil wrote: > "Daniel O'Connor" <doconnor@gsoft.com.au> wrote: > > > On Friday 14 April 2006 21:37, Fabian Keil wrote: > > > > Depending on your firewall setup you might have to disable > > > some of the net.link.bridge sysctls as well. > > > > I don't have any firewalls in the kernel for simplicity at this stage. > > If I'm not mistaken you have to disable net.link.bridge.pfil_onlyip > then. From the if_bridge man page: > > |net.link.bridge.pfil_onlyip Set to 1 to only allow IP packets to > | pass when packet filtering is enabled (subject to > | firewall rules), set to 0 to unconditionally > | pass all non-IP Ethernet frames. > > It's enabled by default. It may not be entirely clear from the description but that sysctl only has affect when packet filtering is enabled, both for the on and off values. At present there are only pfil(9) hooks for IP and IPv6 filters, the knob contols what happens when filtering is enabled and the packet is not IP so wont be inspected, is it passed or dropped. I'll try and clarify the man page. cheers, Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060415195147.GA54638>