Bridge

Jon Otterholm jon.otterholm at ide.resurscentrum.se
Wed Sep 13 11:19:51 PDT 2006 

Hi.

According to man if_bridge one could filter L2-traffic with ipfw:

 From man if_bridge:
     ARP and REVARP packets are forwarded without being filtered and others
     that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is
     enabled.  IPFW can filter Ethernet types using mac-type so all packets
     are passed to the filter for processing.

ARP is still forwarded though I have the following config:

I have the following sysctl set:

net.link.bridge.ipfw: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1

ipfw list:

65533 deny ip from any to any MAC any any
65534 deny ip from any to any layer2
65535 deny ip from any to any

ifconfig:
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet6 fe80::204:23ff:febd:2342%em0 prefixlen 64 scopeid 0x1
        ether 00:04:23:bd:23:42
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        ether 00:04:23:bd:23:43
        media: Ethernet autoselect
        status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
vlan1000: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::204:23ff:febd:2342%vlan1000 prefixlen 64 scopeid 0x5
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:04:23:bd:23:42
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 1000 parent interface: em0
vlan1001: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
        inet6 fe80::204:23ff:febd:2342%vlan1001 prefixlen 64 scopeid 0x6
        ether 00:04:23:bd:23:42
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 1001 parent interface: em0
vlan1002: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
        inet6 fe80::204:23ff:febd:2342%vlan1002 prefixlen 64 scopeid 0x7
        ether 00:04:23:bd:23:42
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 1002 parent interface: em0
bridge0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        ether ac:de:48:83:8d:c6
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: vlan1002 flags=3<LEARNING,DISCOVER>
        member: vlan1001 flags=3<LEARNING,DISCOVER>
        member: vlan10 flags=3<LEARNING,DISCOVER>
vlan10: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        inet6 fe80::204:23ff:febd:2342%vlan10 prefixlen 64 scopeid 0x9
        ether 00:04:23:bd:23:42
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 10 parent interface: em0

ARP-broadcast can still travel between member IFs in bridge0.

Have I missed something here? Do I have to use bridge instead of if_bridge?

/Jon

More information about the freebsd-net mailing list