if_bridge and filtering on member interface
Jon Otterholm
jon.otterholm at ide.resurscentrum.se
Wed Aug 29 04:14:20 PDT 2007
Hi.
It seems that filtering on member interfaces are a bit buggy at the moment.
For testing I tried to use the following 3 rules to block traffic using PF:
The following works and blocks traffic:
block log quick on bridge0 from xx.xx.xx.xx to any
The following does not work:
block log quick on em0.400 from xx.xx.xx.xx to any
The following does not work either:
block log quick on em0.400 from any to any
su-2.05b# ifconfig bridge0 | more
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet xx.xx.xx.xx netmask 0xfffffe00 broadcast xx.xx.xx.xx
inet xx.xx.xx.xx netmask 0xffffff80 broadcast xx.xx.xx.xx
ether XX:XX:XX:XX:XX:XX
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp maxaddr 500 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: em0.400 flags=9c0<PRIVATE,AUTOEDGE,PTP,AUTOPTP>
su-2.05b# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0
su-2.05b# uname -a
FreeBSD hostname.domain 6.2-STABLE FreeBSD 6.2-STABLE #6: Mon Aug 20
11:48:40 CEST 2007
Anything I missed? Accordingly to if_bridge(4) I am supposed to be able
to block traffic on the interface it enters, on the bridge and on the
interface it leaves.
//JO
More information about the freebsd-net
mailing list