diff options
author | thompsa <thompsa@FreeBSD.org> | 2005-12-29 09:39:15 +0000 |
---|---|---|
committer | thompsa <thompsa@FreeBSD.org> | 2005-12-29 09:39:15 +0000 |
commit | 09f2498e57220d9c00512076352be6921f59539f (patch) | |
tree | f0bd6f09009d2c92b5cc7c33b5a3e5173720f1e2 /sys/net/if_bridge.c | |
parent | 14470d19cdb056fa04457586456f3f82d6e093b9 (diff) | |
download | FreeBSD-src-09f2498e57220d9c00512076352be6921f59539f.zip FreeBSD-src-09f2498e57220d9c00512076352be6921f59539f.tar.gz |
When pfil(9) is enabled the bridge only considers ETHERTYPE_ARP, ETHERTYPE_IP and
ETHERTYPE_IPV6 frames. Change this to be a sysctl knob so that is able to still
bridge non-IP packets if desired.
Also return early if all pfil_* sysctls are turned off, the user obviously does
not want to filter on the bridge.
Diffstat (limited to 'sys/net/if_bridge.c')
-rw-r--r-- | sys/net/if_bridge.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index d98052f..4c15831 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -260,9 +260,12 @@ static int bridge_ip6_checkbasic(struct mbuf **mp); SYSCTL_DECL(_net_link); SYSCTL_NODE(_net_link, IFT_BRIDGE, bridge, CTLFLAG_RW, 0, "Bridge"); +static int pfil_onlyip = 1; /* only pass IP[46] packets when pfil is enabled */ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */ static int pfil_member = 1; /* run pfil hooks on the member interface */ static int pfil_ipfw = 0; /* layer2 filter with ipfw */ +SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, + &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW, &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, @@ -417,9 +420,11 @@ sysctl_pfil_ipfw(SYSCTL_HANDLER_ARGS) /* * Disable pfil so that ipfw doesnt run twice, if the user * really wants both then they can re-enable pfil_bridge and/or - * pfil_member. + * pfil_member. Also allow non-ip packets as ipfw can filter by + * layer2 type. */ if (pfil_ipfw) { + pfil_onlyip = 0; pfil_bridge = 0; pfil_member = 0; } @@ -2498,6 +2503,9 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) snap = 0; error = -1; /* Default error if not error == 0 */ + if (pfil_bridge == 0 && pfil_member == 0 && pfil_ipfw == 0) + return 0; /* filtering is disabled */ + i = min((*mp)->m_pkthdr.len, max_protohdr); if ((*mp)->m_len < i) { *mp = m_pullup(*mp, i); @@ -2545,11 +2553,11 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) break; default: /* - * ipfw allows layer2 protocol filtering using - * 'mac-type' so we will let the packet past, if - * ipfw is disabled then drop it. + * Check to see if the user wants to pass non-ip + * packets, these will not be checked by pfil(9) and + * passed unconditionally so the default is to drop. */ - if (!IPFW_LOADED || pfil_ipfw == 0) + if (pfil_onlyip) goto bad; } |