bridging VLANs with netgraph(3)

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Sat, 25 Mar 2023 14:38:18 UTC

Dear subscribers of the list,

the scenario requires packets for one of the tagged VLANs to be copied 
in span mode, still tagged, to epair(4) interface for feeding IDS 
inside, but at least one additional vlan(4) inside the jail is required 
to provide network connectivity for the jail.

With a simple hack[1] of if_bridge(4) it's possible to have epair(4) 
interface being a member and a span port at once, so now I have:

bridge0: everything  *-->  epair0 | jail --> vlan1499 --> IDS 

bridge0: vlan 1000   <-->  epair0 | jail <-> vlan1000 <-> host access

The drawback of this solution is using patched sources and having 
duplicated packets for vlan1000 inside the jail, but the desired state is:

vlan 1499 *--> epair0
vlan 1000 <--> epair0


Any suggestions on how to make it work with netgraph(3) will be warmly 
appreciated.


[1] https://cgit.freebsd.org/src/tree/sys/net/if_bridge.c#n1206

Cheers

-- 
Marek Zarychta