From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 17:38:34 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DC341E48 for ; Thu, 24 Jan 2013 17:38:34 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 9A89C9A4 for ; Thu, 24 Jan 2013 17:38:34 +0000 (UTC) Received: from jre-mbp-2.int.fusionio.com ([216.51.42.66]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r0OHc3kx085669 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 24 Jan 2013 09:38:03 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <51017174.6040205@freebsd.org> Date: Thu, 24 Jan 2013 10:37:56 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jake Guffey Subject: Re: IPFW divert with layer 2 interfaces References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> In-Reply-To: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 17:38:34 -0000 On 1/24/13 10:16 AM, Jake Guffey wrote: > Hi: > > I am working on a network appliance based on FreeBSD, IPFW, and Suricata. In the scenario that I'm developing for, I need to divert packets sent over a layer 2 bridge for IPS processing. After reinjection, IPFW passes this traffic back to FreeBSD for layer 3 forwarding. I would like to get this working for layer 2 forwarding across the bridge interface(s) involved. > > I saw http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that one of the responders said that he didn't want to commit layer 2 diversion support before layer 2 packet filtering hooks were put in place. To my understanding (please correct me if I'm wrong), the pfil hooks he was referring to are in place now. hithere.. The original code you refer to was written by Ironport (now cisco) after lookign at similar code bu imimic (then ironport, now cisco :-)) for use in their web filter appliance. It did work well, however I'm not in that field any more so I can't justify work time in getting it up to date.. Nor o I have access any more to test machines that I can test the result with. It may be worth asking Doug Ambrisko what the current version of the code looks like.. We had permission to give it back (hense the email) but it never got put into the tree. > Is there something I can do to help make this happen? I am very rusty with C and will probably not be much help coding, but anything else, I'd be glad to do. I suppose that I could give coding this support a shot, with (likely) a bit of hand-holding from you. > > The company that I work for has allocated budget for consulting, so I would be glad to help fund development if that's an issue. > > Thanks, > Jake Guffey > Network Security Engineer > > eProtex > Network medical device security > > 5451 Lakeview Parkway S Drive > Indianapolis, Indiana 46268, USA > Mobile: 317-220-7100 > jake.guffey@eprotex.com > www.eprotex.com > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >