ipfw on bridge connecting vlans

Victor Gamov vit at otcnet.ru
Sat Oct 27 15:16:22 UTC 2018 

Hi All

I have some misunderstanding how ipfw work with VLAN and bridge

I have following config


         bridge2
       ------------
      /      |     \
     /       |      \
    /        |       \
vlan200  vlan300  vlan400
(igb0)    (igb0)   (igb1)


=====
net.link.bridge.ipfw: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0

net.link.ether.ipfw=1
=====


I need to allow some multicast from some vlans, block other multicast 
and forward allowed multicast into other vlans

For example.  Allow 239.0.0.10 received via vlan200 but block the same 
239.0.0.10 if it comes via other vlan.  Then bridge 239.0.0.10 into vlan400


The simplest ipfw rules for this example:

=====
table blockit create type iface
table blockit add vlan200
table blockit add vlan300
table blockit add vlan400

1000 allow ip from any to any via igb0
1002 allow ip from any to any via igb2

1100 deny ip from any to any mac-type 0x0806 via bridge2
1102 allow ip from any to any via bridge2

2000 allow ip from any to 239.0.0.10 in via vlan200

4000 allow ip from any to 239.0.0.10 out via vlan400

9000 deny ip from any to any via table(blockit)

65000 allow ip from any to any
=====


My expectations are follows:

1. ethernet packet tagged as VLAN-200 arrives igb0. This packet has igb0 
as 'recv'.  Packet checked by ipfw now so I need
1000 allow ip from any to any via igb0
1002 allow ip from any to any via igb2

2. ethernet packet untagged and checked by ipfw. This packet has vlan200 
as 'recv' Packet pass 2000.
If dst-239.0.0.10 comes from vlan300 it blocked by 9000

3. IP-packet comes through if_bridge and checked by ipfw. ARP packet 
blocked by 1100.  Other packets pass via bridge2 by 1102

4. IP multicast packet copied to all bridge members and checked by ipfw 
on all outgoing interfaces: packet pass 4000 on vlan400, but blocked by 
9000 on vlan300.  So only one bridge-member has this packet.

5. ethernet packet tagged as VLAN-400 and checked by ipfw. Packet pass 
by 4000

6. tagged packet out via igb2 and checked by ipfw. packet pass by 1002


Can somebody explain me how tagged multicast packet goes via bridge and 
passed into IPFW and correct my previous packet path?


Thanks!

--
CU
Victor Gamov

More information about the freebsd-net mailing list