4b9840932d
Ipfw processing of frames at layer 2 can be enabled by the sysctl variable net.link.ether.ipfw=1 Consider this feature experimental, because right now, the firewall is invoked in the places indicated below, and controlled by the sysctl variables listed on the right. As a consequence, a packet can be filtered from 1 to 4 times depending on the path it follows, which might make a ruleset a bit hard to follow. I will add an ipfw option to tell if we want a given rule to apply to ether_demux() and ether_output_frame(), but we have run out of flags in the struct ip_fw so i need to think a bit on how to implement this. to upper layers | | +----------->-----------+ ^ V [ip_input] [ip_output] net.inet.ip.fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 | | +->- [bdg_forward]-->---+ net.link.ether.bridge_ipfw=1 ^ V | | to devices |
||
|---|---|---|
| .. | ||
| libalias | ||
| accf_data.c | ||
| accf_http.c | ||
| icmp6.h | ||
| icmp_var.h | ||
| if_atm.c | ||
| if_atm.h | ||
| if_ether.c | ||
| if_ether.h | ||
| igmp_var.h | ||
| igmp.c | ||
| igmp.h | ||
| in_cksum.c | ||
| in_gif.c | ||
| in_gif.h | ||
| in_pcb.c | ||
| in_pcb.h | ||
| in_proto.c | ||
| in_rmx.c | ||
| in_systm.h | ||
| in_var.h | ||
| in.c | ||
| in.h | ||
| ip6.h | ||
| ip_divert.c | ||
| ip_dummynet.c | ||
| ip_dummynet.h | ||
| ip_ecn.c | ||
| ip_ecn.h | ||
| ip_encap.c | ||
| ip_encap.h | ||
| ip_flow.c | ||
| ip_flow.h | ||
| ip_fw.c | ||
| ip_fw.h | ||
| ip_icmp.c | ||
| ip_icmp.h | ||
| ip_id.c | ||
| ip_input.c | ||
| ip_mroute.c | ||
| ip_mroute.h | ||
| ip_output.c | ||
| ip_var.h | ||
| ip.h | ||
| ipprotosw.h | ||
| raw_ip.c | ||
| tcp_debug.c | ||
| tcp_debug.h | ||
| tcp_fsm.h | ||
| tcp_input.c | ||
| tcp_output.c | ||
| tcp_reass.c | ||
| tcp_seq.h | ||
| tcp_subr.c | ||
| tcp_syncache.c | ||
| tcp_timer.c | ||
| tcp_timer.h | ||
| tcp_timewait.c | ||
| tcp_usrreq.c | ||
| tcp_var.h | ||
| tcp.h | ||
| tcpip.h | ||
| udp_usrreq.c | ||
| udp_var.h | ||
| udp.h | ||