Date: Wed, 29 Aug 2007 13:14:20 +0200 From: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> To: freebsd-net@freebsd.org, Andrew Thompson <thompsa@FreeBSD.org> Subject: if_bridge and filtering on member interface Message-ID: <46D5550C.6020209@ide.resurscentrum.se>
next in thread | raw e-mail | index | archive | help
Hi.
It seems that filtering on member interfaces are a bit buggy at the moment.
For testing I tried to use the following 3 rules to block traffic using PF:
The following works and blocks traffic:
block log quick on bridge0 from xx.xx.xx.xx to any
The following does not work:
block log quick on em0.400 from xx.xx.xx.xx to any
The following does not work either:
block log quick on em0.400 from any to any
su-2.05b# ifconfig bridge0 | more
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet xx.xx.xx.xx netmask 0xfffffe00 broadcast xx.xx.xx.xx
inet xx.xx.xx.xx netmask 0xffffff80 broadcast xx.xx.xx.xx
ether XX:XX:XX:XX:XX:XX
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp maxaddr 500 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: em0.400 flags=9c0<PRIVATE,AUTOEDGE,PTP,AUTOPTP>
su-2.05b# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0
su-2.05b# uname -a
FreeBSD hostname.domain 6.2-STABLE FreeBSD 6.2-STABLE #6: Mon Aug 20
11:48:40 CEST 2007
Anything I missed? Accordingly to if_bridge(4) I am supposed to be able
to block traffic on the interface it enters, on the bridge and on the
interface it leaves.
//JO
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D5550C.6020209>