diff options
| author | thompsa <thompsa@FreeBSD.org> | 2007-08-01 00:33:52 +0000 |
|---|---|---|
| committer | thompsa <thompsa@FreeBSD.org> | 2007-08-01 00:33:52 +0000 |
| commit | aa0911f2041ef5f70ebe1165b72029c30c030427 (patch) | |
| tree | 5374e51582956994e2fe77a4be88a5b6059ab5f0 /sbin | |
| parent | 465b2caeed873f769899aeb76aedc4d62b20a72e (diff) | |
| download | FreeBSD-src-aa0911f2041ef5f70ebe1165b72029c30c030427.zip FreeBSD-src-aa0911f2041ef5f70ebe1165b72029c30c030427.tar.gz | |
Add a bridge interface flag called PRIVATE where any private port can not
communicate with another private port.
All unicast/broadcast/multicast layer2 traffic is blocked so it works much the
same way as using firewall rules but scales better and is generally easier as
firewall packages usually do not allow ARP blocking.
An example usage would be having a number of customers on separate vlans
bridged with a server network. All the vlans are marked private, they can all
communicate with the server network unhindered, but can not exchange any
traffic whatsoever with each other.
Approved by: re (rwatson)
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ifconfig/ifbridge.c | 16 | ||||
| -rw-r--r-- | sbin/ifconfig/ifconfig.8 | 10 |
2 files changed, 26 insertions, 0 deletions
diff --git a/sbin/ifconfig/ifbridge.c b/sbin/ifconfig/ifbridge.c index 72fd491..d8176a8 100644 --- a/sbin/ifconfig/ifbridge.c +++ b/sbin/ifconfig/ifbridge.c @@ -665,6 +665,20 @@ setbridge_timeout(const char *arg, int d, int s, const struct afswtch *afp) err(1, "BRDGSTO %s", arg); } +static void +setbridge_private(const char *val, int d, int s, const struct afswtch *afp) +{ + + do_bridgeflag(s, val, IFBIF_PRIVATE, 1); +} + +static void +unsetbridge_private(const char *val, int d, int s, const struct afswtch *afp) +{ + + do_bridgeflag(s, val, IFBIF_PRIVATE, 0); +} + static struct cmd bridge_cmds[] = { DEF_CMD_ARG("addm", setbridge_add), DEF_CMD_ARG("deletem", setbridge_delete), @@ -701,6 +715,8 @@ static struct cmd bridge_cmds[] = { DEF_CMD_ARG2("ifpriority", setbridge_ifpriority), DEF_CMD_ARG2("ifpathcost", setbridge_ifpathcost), DEF_CMD_ARG("timeout", setbridge_timeout), + DEF_CMD_ARG("private", setbridge_private), + DEF_CMD_ARG("-private", unsetbridge_private), }; static struct afswtch af_bridge = { .af_name = "af_bridge", diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index 79f0ce2..63b4317 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1502,6 +1502,16 @@ address is seen on a different interface. Clear the .Dq sticky attribute on a member interface. +.It Cm private Ar interface +Mark an interface as a +.Dq private +interface. +A private interface does not forward any traffic to any other port that is also +a private interface. +.It Cm -private Ar interface +Clear the +.Dq private +attribute on a member interface. .It Cm span Ar interface Add the interface named by .Ar interface |
