Allow additional packet filtering on the physical interface for locally

destined packets, disabled by default. PR: kern/116051 Submitted by: Eygene Ryabinkin Approved by: re (bmah) MFC after: 2 weeks
2007-09-16 21:09:15 +00:00 · 2007-09-16 21:09:15 +00:00 · 31e4cb54e9
commit 31e4cb54e9
parent 18337730db
2 changed files with 30 additions and 1 deletions
--- a/share/man/man4/if_bridge.4
+++ b/share/man/man4/if_bridge.4
@ -185,6 +185,13 @@ to enable filtering on the bridge interface, set
 to
 .Li 0
 to disable it.
+.It Va net.link.bridge.pfil_local_phys
+Set to
+.Li 1
+to additionally filter on the physical interface for locally destined packets.
+Set to
+.Li 0
+to disable this feature.
 .It Va net.link.bridge.ipfw
 Set to
 .Li 1
@ -310,7 +317,9 @@ that are doing IP-forwarding; in some of such cases it is better
 to assign the IP address only to the
 .Nm
 interface and not to the bridge members.
-But your mileage may vary.
+Enabling
+.Va net.link.bridge.pfil_local_phys
+will let you do the additional filtering on the physical interface.
 .Sh EXAMPLES
 The following when placed in the file
 .Pa /etc/rc.conf
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@ -340,6 +340,8 @@ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */
 static int pfil_member = 1; /* run pfil hooks on the member interface */
 static int pfil_ipfw = 0;   /* layer2 filter with ipfw */
 static int pfil_ipfw_arp = 0;   /* layer2 filter with ipfw */
+static int pfil_local_phys = 0; /* run pfil hooks on the physical interface for
+                                   locally destined packets */
 static int log_stp   = 0;   /* log STP state changes */
 SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW,
    &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled");
@ -349,6 +351,9 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW,
    &pfil_bridge, 0, "Packet filter on the bridge interface");
 SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW,
    &pfil_member, 0, "Packet filter on the member interface");
+SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW,
+    &pfil_local_phys, 0,
+    "Packet filter on the physical interface for locally destined packets");
 SYSCTL_INT(_net_link_bridge, OID_AUTO, log_stp, CTLFLAG_RW,
    &log_stp, 0, "Log STP state changes");

@ -2069,6 +2074,21 @@ bridge_input(struct ifnet *ifp, struct mbuf *m)

 	if (memcmp(eh->ether_dhost, IF_LLADDR(bifp),
 	    ETHER_ADDR_LEN) == 0) {
+		/*
+		 * Filter on the physical interface.
+		 */
+		if (pfil_local_phys && (PFIL_HOOKED(&inet_pfil_hook)
+#ifdef INET6
+		    || PFIL_HOOKED(&inet6_pfil_hook)
+#endif
+		    )) {
+			if (bridge_pfil(&m, NULL, ifp, PFIL_IN) != 0 ||
+			    m == NULL) {
+				BRIDGE_UNLOCK(sc);
+				return (NULL);
+			}
+		}
+
 		/*
 		 * If the packet is for us, set the packets source as the
 		 * bridge, and return the packet back to ether_input for