MFC if_bridge.c r1.103, if_bridge.4 r1.29
Allow additional packet filtering on the physical interface for locally destined packets, disabled by default. PR: kern/116051 Submitted by: Eygene Ryabinkin
This commit is contained in:
thompsa
parent
0f871a6acb
commit
7d4e7d98da
@ -35,7 +35,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd January 20, 2007
|
||||
.Dd September 17, 2007
|
||||
.Dt IF_BRIDGE 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -182,6 +182,13 @@ to enable filtering on the bridge interface, set
|
||||
to
|
||||
.Li 0
|
||||
to disable it.
|
||||
.It Va net.link.bridge.pfil_local_phys
|
||||
Set to
|
||||
.Li 1
|
||||
to additionally filter on the physical interface for locally destined packets.
|
||||
Set to
|
||||
.Li 0
|
||||
to disable this feature.
|
||||
.It Va net.link.bridge.ipfw
|
||||
Set to
|
||||
.Li 1
|
||||
@ -307,7 +314,9 @@ that are doing IP-forwarding; in some of such cases it is better
|
||||
to assign the IP address only to the
|
||||
.Nm
|
||||
interface and not to the bridge members.
|
||||
But your mileage may vary.
|
||||
Enabling
|
||||
.Va net.link.bridge.pfil_local_phys
|
||||
will let you do the additional filtering on the physical interface.
|
||||
.Sh EXAMPLES
|
||||
The following when placed in the file
|
||||
.Pa /etc/rc.conf
|
||||
|
||||
@ -331,6 +331,8 @@ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */
|
||||
static int pfil_member = 1; /* run pfil hooks on the member interface */
|
||||
static int pfil_ipfw = 0; /* layer2 filter with ipfw */
|
||||
static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */
|
||||
static int pfil_local_phys = 0; /* run pfil hooks on the physical interface for
|
||||
locally destined packets */
|
||||
static int log_stp = 0; /* log STP state changes */
|
||||
SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW,
|
||||
&pfil_onlyip, 0, "Only pass IP packets when pfil is enabled");
|
||||
@ -340,6 +342,9 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW,
|
||||
&pfil_bridge, 0, "Packet filter on the bridge interface");
|
||||
SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW,
|
||||
&pfil_member, 0, "Packet filter on the member interface");
|
||||
SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW,
|
||||
&pfil_local_phys, 0,
|
||||
"Packet filter on the physical interface for locally destined packets");
|
||||
SYSCTL_INT(_net_link_bridge, OID_AUTO, log_stp, CTLFLAG_RW,
|
||||
&log_stp, 0, "Log STP state changes");
|
||||
|
||||
@ -2058,6 +2063,21 @@ bridge_input(struct ifnet *ifp, struct mbuf *m)
|
||||
|
||||
if (memcmp(eh->ether_dhost, IF_LLADDR(bifp),
|
||||
ETHER_ADDR_LEN) == 0) {
|
||||
/*
|
||||
* Filter on the physical interface.
|
||||
*/
|
||||
if (pfil_local_phys && (inet_pfil_hook.ph_busy_count >= 0
|
||||
#ifdef INET6
|
||||
|| inet6_pfil_hook.ph_busy_count >= 0
|
||||
#endif
|
||||
)) {
|
||||
if (bridge_pfil(&m, NULL, ifp, PFIL_IN) != 0 ||
|
||||
m == NULL) {
|
||||
BRIDGE_UNLOCK(sc);
|
||||
return (NULL);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If the packet is for us, set the packets source as the
|
||||
* bridge, and return the packet back to ether_input for
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user