addition to ipfw..
Andre Oppermann
andre at freebsd.org
Mon Dec 11 14:15:29 PST 2006
Julian Elischer wrote:
>
> in ipfw layer 2 processing, the packet is passed to the firewall
> as if it was a layer 3 IP packet but the ether header is also made
> available.
>
> I would like to add something similar in the case where a vlan tag
> is also on the packet..
>
> basically I have a change where:
>
> If we are processing layer 2 packets (in ether or bridge code)
> AND a sysctl says to do it,
> and it is a vlan packet,
>
> Then the vlan header is also held back so that the packet can be
> processed and examined as an IP packet. It is
> (in the same way the ether header is) reattached when the packet is
> accepted.
>
> This allows me to filter packets that are traversing my bridge,
> even though they are encapsulated in a vlan.
>
> I have patches to allow this. I need this function. does anyone else?
Please have the ipfw code examine the vlan tag in the mbuf instead of
fiddling with the mbuf contents.
--
Andre
More information about the freebsd-net
mailing list