From owner-freebsd-net Thu Dec 14 19:44: 8 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 14 19:44:04 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id C209F37B400 for ; Thu, 14 Dec 2000 19:44:04 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id eBF3i3592156; Thu, 14 Dec 2000 19:44:03 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200012150344.eBF3i3592156@iguana.aciri.org> Subject: Re: non-learning bridge for pathological network In-Reply-To: <20001214222838.B84586@cgaylord.async.vt.edu> from Clark Gaylord at "Dec 14, 2000 10:28:39 pm" To: cgaylord@vt.edu (Clark Gaylord) Date: Thu, 14 Dec 2000 19:44:03 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: rizzo@iguana.aciri.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, if you want to use bridging and you know the IPs of the hosts on "networks" A, B, and C (which is what you need to use the 'deny' rules) you do not need to hack bridge.c On the other hand, your solution will not block ARPs and subnet-broadcast packets, so i really think the best solution is to use 3 real subnets for A B and C (i.e. different address ranges), set the machine to act as a router (net.inet.ip.forwarding=1) and block traffic between A and C using the firewall below. No bridging or messing with the kernel involved cheers luigi > I am interested in creating a pathological lab network with the > following forwarding rules: > - three networks (A,B,C) > - packets from A or C are forwarded to B > - packets from B are forward to both A and C > > I was thinking of using BRIDGE+ipfw to create this by hacking > bridge.c so that all dsts are UNKNOWN, then filtering via ipfw by > deny ip from A to C > deny ip from C to A > > Seems like this would work, but I was wondering what others' thoughts > might be on this approach. Perhaps BRIDGE could have a (compile-time?) > non-learning flag so that all packets get forwarded as if they are > UNKNOWN. > > Oh, btw, I also want tcpdump to work on any of these interfaces. ;-) > > Thanks. > Clark > cgaylord@vt.edu > > > ----- End forwarded message ----- > > -- > Clark K. Gaylord > Blacksburg, Virginia USA > cgaylord@vt.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message