Date: Fri, 25 Feb 2005 19:44:49 GMT From: Manuel Kasper <mk@neon1.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/78090: ipf filtering on bridged packets doesn't work if ipfw is loaded Message-ID: <200502251944.j1PJin51051436@www.freebsd.org> Resent-Message-ID: <200502251950.j1PJoHRg017481@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 78090 >Category: misc >Synopsis: ipf filtering on bridged packets doesn't work if ipfw is loaded >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 25 19:50:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Manuel Kasper >Release: 5.3-RELEASE >Organization: >Environment: FreeBSD daemon5.neon1.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: If ipfw is loaded, then the net.link.ether.bridge.ipf option, which is designed to pass bridged packets to ipfilter, doesn't work: no ipfilter rules are applied. This happens even when net.link.ether.bridge.ipfw=0. Closer examination of sys/net/bridge.c reveals that the whole pfil processing part of the code is skipped if IPFW_LOADED == true, in order to prevent ipfw from being called twice on a given packet (once through pfil, and once directly from bdg_forward). >How-To-Repeat: Configure ipfilter to block packets, set up bridging between two interfaces. Make sure ipfw is not loaded. Observe that bridged packets are actually blocked by ipfilter. Load ipfw (leave net.link.ether.bridge.ipfw alone). Observe that packets are no longer blocked. >Fix: Packets should be tagged somehow in bdg_forward prior to sending them to pfil_run_hooks to make ipfw ignore them when it's called from pfil. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502251944.j1PJin51051436>