Date: Tue, 18 Jun 2013 15:40:01 GMT From: Ian Smith <smithi@nimnet.asn.au> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/176503: [ipfw] ipfw layer2 problem Message-ID: <201306181540.r5IFe161096806@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/176503; it has been noted by GNATS. From: Ian Smith <smithi@nimnet.asn.au> To: bug-followup@FreeBSD.org, freebsd@heron.pl Cc: Subject: Re: kern/176503: [ipfw] ipfw layer2 problem Date: Wed, 19 Jun 2013 01:34:58 +1000 > net.link.ether.ipfw=1 > 1000 allow ip from any to any layer2 in MAC any any You don't show the next rule mentioned, but with net.link.ether.ipfw=1 (and not bridging) the packet traverses the ruleset up to four times. Your rule 1000 accepts the packet when invoked from ether_demux. When the packet (thus) gets to ip(6)_input the ruleset is run again at layer 3 (IP), which rule 1000 does not match. It may match any next rule that is not explicitly layer2. You'll similarly need to pass layer2 packets going 'out', after passing them at layer3. man ipfw /PACKET FLOW cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306181540.r5IFe161096806>