Date: Sat, 27 Oct 2018 22:44:35 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Victor Gamov <vit@otcnet.ru>, freebsd-net@freebsd.org Subject: Re: ipfw on bridge connecting vlans Message-ID: <9b8d8c04-8e3e-b148-8a08-135d6ac1785d@grosbein.net> In-Reply-To: <36cd661e-ca54-be94-fd64-01ee768d5053@otcnet.ru> References: <36cd661e-ca54-be94-fd64-01ee768d5053@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
27.10.2018 22:16, Victor Gamov wrote:
>
> Hi All
>
> I have some misunderstanding how ipfw work with VLAN and bridge
>
> I have following config
>
>
> bridge2
> ------------
> / | \
> / | \
> / | \
> vlan200 vlan300 vlan400
> (igb0) (igb0) (igb1)
>
>
> =====
> net.link.bridge.ipfw: 1
> net.link.bridge.allow_llz_overlap: 0
> net.link.bridge.inherit_mac: 0
> net.link.bridge.log_stp: 0
> net.link.bridge.pfil_local_phys: 0
> net.link.bridge.pfil_member: 0
> net.link.bridge.ipfw_arp: 1
> net.link.bridge.pfil_bridge: 0
> net.link.bridge.pfil_onlyip: 0
>
> net.link.ether.ipfw=1
> =====
>
>
> I need to allow some multicast from some vlans, block other multicast and forward allowed multicast into other vlans
Your ruleset needs to differentiate packets based on name of incoming bridge member
but you forgot to enable net.link.bridge.pfil_member=1. Enable it.
Also note that change of net.link.bridge.ipfw from 0 to 1 disables
net.link.bridge.{pfil_member|pfil_onlyip|pfil_bridge} but you are allowed
to enable them after.
net.link.bridge.pfil_member=1 makes frames enter ruleset as incoming from bridge member, zero disables this pass.
net.link.bridge.ipfw=1 makes frames enter ruleset again as incoming from bridge interface itself
without distinction of bridge member, and for forwarded frames enter ruleset one more time as outgoing from the bridge itself.
And frame enters ruleset one MORE time as outgoing from bridge member if net.link.bridge.pfil_member=1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9b8d8c04-8e3e-b148-8a08-135d6ac1785d>