RE: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?
From: Andrew Seguin (asegu_at_borgtech.ca)
Date: 12/17/04
- Previous message: Nickolay A. Kritsky: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- In reply to: Nickolay A. Kritsky: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- Next in thread: asegu_at_borgtech.ca: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "'Nickolay A. Kritsky'" <nkritsky@star-sw.com> Date: Fri, 17 Dec 2004 15:28:06 +0100
Would changing over to RELENG_4 remove these headaches for me?
Maybe if I patch the code you pointed out to be ETHERTYPE_VLAN instead of
_IP, then ipfw will filter only VLAN traffic instead of IP traffic. This I
would be willing to do until a patch became mainstream.
So if the above works, I could just remove remote-console access and leave
the box without an IP address, and IPFW would happily work with filters such
as "deny ip from any to any $PORT"...
Thank you for your help to date, I shall stay tuned to any other ideas!
Andrew
-----Original Message-----
From: Nickolay A. Kritsky [mailto:nkritsky@star-sw.com]
Sent: Friday, December 17, 2004 1:42 PM
To: Andrew Seguin
Cc: freebsd-net@freebsd.org
Subject: Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at
fault?
Hello Andrew,
Friday, December 17, 2004, 12:47:46 PM, Andrew Seguin wrote:
...
I cannot say for sure, because I do not have any 5.x filtering bridge
right now. But after reading some sources I think I understand what is
happening:
bdg_forward in bridge.c is calling ipfw or another packet filter:
/*
* NetBSD-style generic packet filter, pfil(9), hooks.
* Enables ipf(8) in bridging.
*/
if (!IPFW_LOADED) { /* XXX: Prevent ipfw from being run twice. */
if (inet_pfil_hook.ph_busy_count >= 0 &&
m0->m_pkthdr.len >= sizeof(struct ip) &&
ntohs(save_eh.ether_type) == ETHERTYPE_IP) {
Note the last line: for VLAN tagged packet the field
save_eh.ether_type would be ETHERTYPE_VLAN instead of ETHERTYPE_IP and
no filtering will take place. That is what I think is going on. Who is
the current maintainer of bridge code in FreeBSD?
-- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Nickolay A. Kritsky: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- In reply to: Nickolay A. Kritsky: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- Next in thread: asegu_at_borgtech.ca: "Re: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
