From owner-freebsd-net@FreeBSD.ORG  Wed Sep 13 21:42:54 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 364C516A40F
	for <freebsd-net@freebsd.org>; Wed, 13 Sep 2006 21:42:54 +0000 (UTC)
	(envelope-from thompsa@freebsd.org)
Received: from grunt3.ihug.co.nz (grunt3.ihug.co.nz [203.109.254.43])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D006A43D4C
	for <freebsd-net@freebsd.org>; Wed, 13 Sep 2006 21:42:53 +0000 (GMT)
	(envelope-from thompsa@freebsd.org)
Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz)
	[203.109.251.39] 
	by grunt3.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
	id 1GNcVO-0004qh-00; Thu, 14 Sep 2006 09:42:50 +1200
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 200071CC23; Thu, 14 Sep 2006 09:42:50 +1200 (NZST)
Date: Thu, 14 Sep 2006 09:42:50 +1200
From: Andrew Thompson <thompsa@freebsd.org>
To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
Message-ID: <20060913214250.GB6334@heff.fud.org.nz>
References: <4506CC6C.4030308@ide.resurscentrum.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4506CC6C.4030308@ide.resurscentrum.se>
User-Agent: Mutt/1.5.11
Cc: freebsd-net@freebsd.org
Subject: Re: Limit arp on bridge
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2006 21:42:54 -0000

On Tue, Sep 12, 2006 at 05:04:12PM +0200, Jon Otterholm wrote:
> Hello.
> 
> I am trying to limit arp-broadcast between member-IF on a bridge 
> (if_bridge) with no luck.
> 
> I have the following sysctls set:
> 
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
> 
> I am using PF for filtering - do I have to use IPFW to limit 
> arp-broadcast between memeber-ifs?

See this snippit of code from if_bridge

         * (Note that since pfil doesn't understand ARP it will pass *ALL*
         * ARP traffic.)
         */
        switch (ether_type) {
                case ETHERTYPE_ARP:
                case ETHERTYPE_REVARP:
                        return (0); /* Automatically pass */


The only way that you will be able to filter ARP packets is by setting
pfil_onlyip=0, ipfw=1 and use the IPFW layer2 filtering.


cheers,
Andrew