Date: Thu, 14 Sep 2006 09:42:50 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> Cc: freebsd-net@freebsd.org Subject: Re: Limit arp on bridge Message-ID: <20060913214250.GB6334@heff.fud.org.nz> In-Reply-To: <4506CC6C.4030308@ide.resurscentrum.se> References: <4506CC6C.4030308@ide.resurscentrum.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 12, 2006 at 05:04:12PM +0200, Jon Otterholm wrote:
> Hello.
>
> I am trying to limit arp-broadcast between member-IF on a bridge
> (if_bridge) with no luck.
>
> I have the following sysctls set:
>
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
>
> I am using PF for filtering - do I have to use IPFW to limit
> arp-broadcast between memeber-ifs?
See this snippit of code from if_bridge
* (Note that since pfil doesn't understand ARP it will pass *ALL*
* ARP traffic.)
*/
switch (ether_type) {
case ETHERTYPE_ARP:
case ETHERTYPE_REVARP:
return (0); /* Automatically pass */
The only way that you will be able to filter ARP packets is by setting
pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering.
cheers,
Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060913214250.GB6334>