Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 3 Aug 2003 05:45:19 +0100
From:      Andy Gilligan <andy@evo6.org>
To:        Mike Wade <mwade@bluehighway.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw2 mac address matching weirdness?
Message-ID:  <20030803044519.GA32629@vega.evo6.net>
In-Reply-To: <20030802223846.V4501@net-ninja.dyndns.org>
References:  <20030802203114.J4501@net-ninja.dyndns.org> <20030803020257.GA79533@vega.evo6.net> <20030802223846.V4501@net-ninja.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Aug 03, 2003 at 03:39:24AM BST, Mike Wade wrote:
> On Sun, 3 Aug 2003, Andy Gilligan wrote:
> 
> > On Sun, Aug 03, 2003 at 01:31:23AM BST, Mike Wade wrote:
> > > I'm running FreeBSD 4.8 RELEASE w/ IPFW2 support enabled.  I'm running
> > > into some weirdness with the mac address matching feature or perhaps it's
> > > my lack of understanding how it interacts with other rules. :)
> > >
> > > My goal is to transparently redirect everything except a few select MAC
> > > addresses but it doesn't appear to work properly.  For example:
> > >
> > > net-ninja# ipfw list
> > > 00001 skipto 65535 ip from any to any MAC any any in via sis0
> > > 00002 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in via sis0
> > > 65535 allow ip from any to any
> > >
> > > This should allow every MAC address to bypass the transparent redirect but
> > > it doesn't.  If I change rule #1 to:
> > >
> > > 00001 skipto 65535 ip from any to any in via sis0
> > >
> > > Things work as advertised.  Any ideas?
> >
> > Try:
> >
> > sysctl net.link.ether.ipfw=1
> 
> Hmm, it was already set:
> 
> net-ninja# sysctl net.link.ether.ipfw
> net.link.ether.ipfw: 1

The best advice I can give at the moment is to read the "PACKET FLOW"
section in ipfw(8).

A brief read over it suggests that it *may* not be possible to do what
you ask, due to the rules being parsed twice. (in your case)

The first pass is done from ether_demux(), and this will only match the
first rule - it won't match tcp or dst-port 80, etc.

The second pass will come from ip_input(), which will only match the
second rule, as it doesn't know anything about MAC addresses.

I could be missing something (it is 4am), so hopefully somebody will
step in and tell me I'm wrong :)

Sorry I couldn't be of more help.

Best regards,
-Andy

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030803044519.GA32629>