Date: Mon, 11 Dec 2006 23:06:16 +0100 From: Andre Oppermann <andre@freebsd.org> To: Julian Elischer <julian@elischer.org> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: addition to ipfw.. Message-ID: <457DD658.7010707@freebsd.org> In-Reply-To: <457DCD47.5090004@elischer.org> References: <457DCD47.5090004@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > > in ipfw layer 2 processing, the packet is passed to the firewall > as if it was a layer 3 IP packet but the ether header is also made > available. > > I would like to add something similar in the case where a vlan tag > is also on the packet.. > > basically I have a change where: > > If we are processing layer 2 packets (in ether or bridge code) > AND a sysctl says to do it, > and it is a vlan packet, > > Then the vlan header is also held back so that the packet can be > processed and examined as an IP packet. It is > (in the same way the ether header is) reattached when the packet is > accepted. > > This allows me to filter packets that are traversing my bridge, > even though they are encapsulated in a vlan. > > I have patches to allow this. I need this function. does anyone else? Please have the ipfw code examine the vlan tag in the mbuf instead of fiddling with the mbuf contents. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?457DD658.7010707>