Limit arp on bridge

[Andrew Thompson]

On Tue, Sep 12, 2006 at 05:04:12PM +0200, Jon Otterholm wrote:
> Hello.
> 
> I am trying to limit arp-broadcast between member-IF on a bridge 
> (if_bridge) with no luck.
> 
> I have the following sysctls set:
> 
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
> 
> I am using PF for filtering - do I have to use IPFW to limit 
> arp-broadcast between memeber-ifs?

See this snippit of code from if_bridge

         * (Note that since pfil doesn't understand ARP it will pass *ALL*
         * ARP traffic.)
         */
        switch (ether_type) {
                case ETHERTYPE_ARP:
                case ETHERTYPE_REVARP:
                        return (0); /* Automatically pass */


The only way that you will be able to filter ARP packets is by setting
pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering.


cheers,
Andrew