From owner-freebsd-net Thu Dec 14 21:25:20 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 14 21:25:16 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from cgaylord.async.vt.edu (e028121.vtacs.vt.edu [63.164.28.121]) by hub.freebsd.org (Postfix) with ESMTP id BA44937B400 for ; Thu, 14 Dec 2000 21:25:16 -0800 (PST) Received: by cgaylord.async.vt.edu (Postfix, from userid 1000) id 6E5882E1; Fri, 15 Dec 2000 00:25:15 -0500 (EST) Date: Fri, 15 Dec 2000 00:25:15 -0500 From: Clark Gaylord To: Luigi Rizzo Cc: freebsd-net@freebsd.org Subject: Re: non-learning bridge for pathological network Message-ID: <20001215002514.C84586@cgaylord.async.vt.edu> References: <20001214222838.B84586@cgaylord.async.vt.edu> <200012150344.eBF3i3592156@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012150344.eBF3i3592156@iguana.aciri.org>; from rizzo@aciri.org on Thu, Dec 14, 2000 at 07:44:03PM -0800 Sender: gaylord@cgaylord.async.vt.edu Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Luigi -- Thank you for your response. Btw, I've been reading over the bridge code ... many thanks for this valuable resource! The problem with the "just let it be a router" approach is that I want all traffic from B to go to A and C, not just that which is actually intended for said net (yes all can be considered nets). I.e., a packet destined for A should be forwarded to C as well as A. I do not see a way to do this by being a router. OTOH, a non-learning bridge (or pretending the destination is UNKNOWN ... my hack to labotomize the bridge) does this. If there is another way to perform this "forward to multiple interfaces", I'd be happy to hear what you think. The point of clobbering ARPs is an interesting one; I'll have to think about that a bit. I think I can just use static ARP tables for the labs in question. The subnet-broadcast IP packets would still have source address from A, say, so maybe some interface- specific denies, e.g.: deny from A via ifC instead of deny from A to C I still get confused with via. Clark On Thu, Dec 14, 2000 at 07:44:03PM -0800, Luigi Rizzo wrote: > if you want to use bridging and you know the IPs of the hosts on > "networks" A, B, and C (which is what you need to use the 'deny' > rules) you do not need to hack bridge.c > > On the other hand, your solution will not block ARPs and subnet-broadcast > packets, so i really think the best solution is to use 3 real > subnets for A B and C (i.e. different address ranges), set the > machine to act as a router (net.inet.ip.forwarding=1) and block > traffic between A and C using the firewall below. No bridging or > messing with the kernel involved > > cheers > luigi > > > I am interested in creating a pathological lab network with the > > following forwarding rules: > > - three networks (A,B,C) > > - packets from A or C are forwarded to B > > - packets from B are forward to both A and C > > > > I was thinking of using BRIDGE+ipfw to create this by hacking > > bridge.c so that all dsts are UNKNOWN, then filtering via ipfw by > > deny ip from A to C > > deny ip from C to A > > > > Seems like this would work, but I was wondering what others' thoughts > > might be on this approach. Perhaps BRIDGE could have a (compile-time?) > > non-learning flag so that all packets get forwarded as if they are > > UNKNOWN. > > > > Oh, btw, I also want tcpdump to work on any of these interfaces. ;-) > > > > Thanks. > > Clark > > cgaylord@vt.edu > > > > > > ----- End forwarded message ----- > > > > -- > > Clark K. Gaylord > > Blacksburg, Virginia USA > > cgaylord@vt.edu > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > -- Clark K. Gaylord Blacksburg, Virginia USA cgaylord@vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message