From owner-freebsd-ipfw Tue Oct 22 22:19:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8320337B401 for ; Tue, 22 Oct 2002 22:19:28 -0700 (PDT) Received: from mta2.srv.hcvlny.cv.net (mta2.srv.hcvlny.cv.net [167.206.5.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EF8943E4A for ; Tue, 22 Oct 2002 22:19:28 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta2.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4F00JSD5GDWZ@mta2.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Wed, 23 Oct 2002 01:19:25 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9N5JQpg044696 for ; Wed, 23 Oct 2002 01:19:27 -0400 (EDT envelope-from agapon@excite.com) Date: Wed, 23 Oct 2002 01:19:26 -0400 (EDT) From: Andriy Gapon Subject: ipfw: ether_output_frame -> bdg_forward X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021023005503.V44234-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After using my firewall with layer2-specific rules and both net.link.ether.ipfw=1 and net.link.ether.bridge_ipfw=1, and after looking into the code in bridge.c /bdg_forward()/ and if_ethersubr.c /ether_output_frame()/, I am under impression that a packet passed to ether_output_frame() on a bridged interface will not undergo firewall checking in either ether_output_frame() (looks like a packet is handed off to bdg_forward() before any ipfw-related code) or bdg_forward() (there is a comment saying "Only if firewall is loaded, enabled, and the packet is not from ether_output() (src==NULL, or we would filter it twice)", which doesn't seem to be correct). Have I missed something ? -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message