Date: Sat, 24 Oct 2020 16:47:40 +0200 From: <driesm.michiels@gmail.com> To: <freebsd-ipfw@freebsd.org> Subject: Converting net.link.bridge.pfil_bridge=0 and net.link.bridge.pfil_member=0 to explicit rules Message-ID: <003001d6aa14$9f93f4f0$debbded0$@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi IPFW mailing list, I'm trying to mimmic the bahavior in explicit rules of the following sysctl's: * net.link.bridge.pfil_bridge=0 * net.link.bridge.pfil_member=0 >From what I understand the first one disables filtering the bridge, so incomming packets on the bridge need not be allowed explicitly. The second one does the same for the members, for both in and outgoing on a member of the bridge. So lets say I have em0 as a member which is my WAN connection and igb0.10 as a vlan bridge member for IPTV on my LAN. I have tried the following rules trying to mimmic the behavior of the sysctl: * allow ip from any to any in via em0 in via bridge0 * allow ip from any to any in via igb0.10 in via bridge0 * allow ip from any to any in via em0 out via igb0.10 * allow ip from any to any in via igb0.10 out via em0 I can't seem to figure out on how to mimmic the sysctl behavior. The reason why I need to disable the syctl's and convert to explicit rules is because I'm going to add an extra bridge with a private address space. So packets on this bridge do need to get injected in IPFW for NAT and can't just get skipped by setting the sysctl knobs. For now I only have on bridge where I just want to pass all traffic and so the sysctl's work fine. Regards, Dries
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003001d6aa14$9f93f4f0$debbded0$>