Re: addition to ipfw..

On Monday 11 December 2006 23:58, Julian Elischer wrote:
Andre Oppermann wrote:
Julian Elischer wrote:
in ipfw layer 2 processing, the packet is passed to the firewall
as if it was a layer 3 IP packet but the ether header is also made
available.

I would like to add something similar in the case where a vlan tag
is also on the packet..

basically I have a change where:

If we are processing layer 2 packets (in ether or bridge code)
AND a sysctl says to do it,
and it is a vlan packet,

Then the vlan header is also held back so that the packet can be
processed and examined as an IP packet. It is
(in the same way the ether header is) reattached when the packet is
accepted.

This allows me to filter packets that are traversing my bridge,
even though they are encapsulated in a vlan.

I have patches to allow this. I need this function. does anyone
else?

Please have the ipfw code examine the vlan tag in the mbuf instead of
fiddling with the mbuf contents.

The ipfw will be ignoring the vlan contents.. the patch is to move the
'start of ip header' pointer past the vlan header.. (if asked) so that
it can identifu the IP packet.

part of the patch is to make sure all the code uses this pointer
instead of the case now where some code uses it and some uses mtod().

This could be used in conjunction with vlan keyword that would look at
the vlan header, but that is a different feature..

I understand you do have a patch? Let's see it, so we are clear what we
are talking about. I think that w/o a ipfw feature to identify the vlan
number, it is pretty useless. Of course, it would enable you to do some
basic sanity checks, but real filtering needs to know the vlan it is
concerned with. BTW, what speaks against plugging the bridge into the
vlan on either side and bridge the vlan interfaces together?

--
/"\ Best regards, | mlaier@xxxxxxxxxxx
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Attachment: pgpDkTC5pbIJ2.pgp
Description: PGP signature

Relevant Pages

  • Re: addition to ipfw..
    ... I would like to add something similar in the case where a vlan tag ... is also on the packet.. ... Then the vlan header is also held back so that the packet can be ... Of course, it would enable you to do some basic sanity checks, but real filtering needs to know the vlan it is concerned with. ...
    (freebsd-net)
  • Re: addition to ipfw..
    ... as if it was a layer 3 IP packet but the ether header is also made ... I would like to add something similar in the case where a vlan tag ... is also on the packet.. ... Then the vlan header is also held back so that the packet can be ...
    (freebsd-net)
  • Re: [was] addition to ipfw (read vlans from bridge)..
    ... into the packet as well as the packet, then yes I like that idea, ... At the moment I plan the ipfw code to be unaware of vlan headers. ... What we need to do is make a convention so that vlan tags are always ...
    (freebsd-net)
  • expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device?
    ... the complete packet with vlan tag included as the driver simply calls ... thing vlan tag included and sends this through the socket. ... The packet socket gets everything including the vlan tag as I'd ...
    (Linux-Kernel)
  • Re: addition to ipfw..
    ... I would like to add something similar in the case where a vlan ... tag is also on the packet.. ... Then the vlan header is also held back so that the packet can be ... This allows me to filter packets that are traversing my bridge, ...
    (freebsd-net)