From owner-freebsd-current Fri Dec 22 11:42:50 2000 From owner-freebsd-current@FreeBSD.ORG Fri Dec 22 11:42:46 2000 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from bps.eca-mail.org (c115139.upc-c.chello.nl [212.187.115.139]) by hub.freebsd.org (Postfix) with ESMTP id EE54337B400; Fri, 22 Dec 2000 11:42:44 -0800 (PST) Received: (from joost@localhost) by bps.eca-mail.org (8.11.1/8.11.1) id eBMJggO05347; Fri, 22 Dec 2000 20:42:42 +0100 (CET) (envelope-from joost) Date: Fri, 22 Dec 2000 20:42:42 +0100 (CET) From: Joost Bekkers Message-Id: <200012221942.eBMJggO05347@bps.eca-mail.org> To: FreeBSD-gnats-submit@freebsd.org, FreeBSD-current@freebsd.org, joost@bps.eca-mail.org Subject: bridge code doesn't work like the man page says Reply-To: joost@bps.eca-mail.org X-send-pr-version: 3.2 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Submitter-Id: current-users >Originator: Joost Bekkers >Organization: >Confidential: no >Synopsis: bridge/firewall doesn't work as in bridge(4) >Severity: serious >Priority: medium >Category: kern >Release: FreeBSD 4.2-RELEASE i386 >Class: sw-bug >Environment: 4.2 RELEASE with the options BRIDGE and IPFIREWALL. >Description: When using a kernel with BRIDGE and IPFIREWALL and not IPFIREWALL_DEFAULT_TO_ACCEPT, bridge(4) states all non-ip packets will not be forwarded. This is not true! All non-ip packets will be forwarded regardless of the firewall. >How-To-Repeat: make a kernel with BRIDGE and IPFIREWALL. generate non-ip (like arp or ipx) traffic and notice how it passes through the bridge. >Fix: I've added some options to make the bridge/firewall combo usefull. # $FreeBSD: src/sys/conf/options,v 1.191.2.20 2000/11/16 17:28:30 archie Exp $ *** conf/options~ Thu Dec 21 20:06:38 2000 --- conf/options Thu Dec 21 13:04:05 2000 *************** *** 220,225 **** --- 220,228 ---- BOOTP_NFSV3 opt_bootp.h BOOTP_WIRED_TO opt_bootp.h BRIDGE opt_bdg.h + BRIDGE_IP_ONLY opt_bdg.h + BRIDGE_ALLOW_ARP opt_bdg.h + BRIDGE_ALLOW_RARP opt_bdg.h ETHER_II opt_ef.h ETHER_8023 opt_ef.h ETHER_8022 opt_ef.h * $FreeBSD: src/sys/net/bridge.c,v 1.16.2.6 2000/09/25 17:30:01 nsayer Exp $ *** net/bridge.c~ Thu Dec 21 20:04:45 2000 --- net/bridge.c Thu Dec 21 20:44:41 2000 *************** *** 56,61 **** --- 56,71 ---- * option BRIDGE * and then at runtime set the sysctl variable to enable bridging. * + * If you want to combine a bridge with a firewall: + * option IPFIREWALL + * and since it usualy doesn't make a lot of sense to block ip and + * let all the other protocols pass freely, use + * option BRIDGE_IP_ONLY + * And because arp (and sometimes rarp) can be extremely usefull in + * an ip network + * option BRIDGE_ALLOW_ARP + * option BRIDGE_ALLOW_RARP + * * Only one interface is supposed to have addresses set (but * there are no problems in practice if you set addresses for more * than one interface). *************** *** 91,96 **** --- 101,107 ---- #include "opt_ipfw.h" #include "opt_ipdn.h" + #include "opt_bdg.h" #if defined(IPFIREWALL) #include *************** *** 445,450 **** --- 456,474 ---- bzero(ifp2sc, BDG_MAX_PORTS * sizeof(struct bdg_softc) ); bzero(&bdg_stats, sizeof(bdg_stats) ); + /* added by bps */ + printf("BRIDGING ENABLED" + #ifdef BRIDGE_IP_ONLY + " protocols ip" + #ifdef BRIDGE_ALLOW_ARP + ",arp" + #endif + #ifdef BRIDGE_ALLOW_RARP + ",rarp" + #endif + " only" + #endif + "\n"); bdgtakeifaces(); bdg_timeout(0); do_bridge=0; *************** *** 658,663 **** --- 682,688 ---- struct ip_fw_chain *rule = NULL ; int off; struct ip *ip ; + u_short frame_type; m = *m0 ; #ifdef DUMMYNET *************** *** 678,685 **** --- 703,729 ---- goto forward ; if (src == NULL) goto forward ; /* do not apply to packets from ether_output */ + frame_type=ntohs(eh->ether_type); + #ifdef BRIDGE_ALLOW_ARP + if (frame_type == ETHERTYPE_ARP) + goto forward ; /* BRIDGE_ALLOW_ARP is defined, so forward arp */ + #endif + #ifdef BRIDGE_ALLOW_RARP + if (frame_type == ETHERTYPE_REVARP) + goto forward ; /* BRIDGE_ALLOW_RARP is defined, so forward rarp */ + #endif if (ntohs(eh->ether_type) != ETHERTYPE_IP) + #ifdef BRIDGE_IP_ONLY /* we're bridging IP (and maybe arp/rarp) only */ + { + if (canfree) { + m_freem(*m0) ; + *m0 = NULL ; + } + return 0; + } + #else /* we're bridging everything */ goto forward ; /* not an IP packet, ipfw is not appropriate */ + #endif /* * In this section, canfree=1 means m is the same as *m0. * canfree==0 means m is a copy. We need to make a copy here To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message