Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Oct 2002 01:19:26 -0400 (EDT)
From:      Andriy Gapon <agapon@excite.com>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw: ether_output_frame -> bdg_forward
Message-ID:  <20021023005503.V44234-100000@edge.foundation.invalid>

Next in thread | Raw E-Mail | Index | Archive | Help

After using my firewall with layer2-specific rules and both
net.link.ether.ipfw=1 and net.link.ether.bridge_ipfw=1, and after looking
into the code in bridge.c /bdg_forward()/ and if_ethersubr.c
/ether_output_frame()/, I am under impression that a packet passed to
ether_output_frame() on a bridged interface will not undergo firewall
checking in either ether_output_frame() (looks like a packet is handed off
to bdg_forward() before any ipfw-related code) or bdg_forward() (there is
a comment saying "Only if firewall is loaded, enabled, and the packet is
not from ether_output() (src==NULL, or we would filter it twice)", which
doesn't seem to be correct).

Have I missed something ?

-- 
Andriy Gapon
*
"Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20021023005503.V44234-100000>