Add a bridge interface flag called PRIVATE where any private port can not

communicate with another private port.

All unicast/broadcast/multicast layer2 traffic is blocked so it works much the
same way as using firewall rules but scales better and is generally easier as
firewall packages usually do not allow ARP blocking.

An example usage would be having a number of customers on separate vlans
bridged with a server network. All the vlans are marked private, they can all
communicate with the server network unhindered, but can not exchange any
traffic whatsoever with each other.

Approved by:	re (rwatson)

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/net/if_bridgevar.h b/sys/net/if_bridgevar.h
index 8097cd9..ddd8ce7 100644
--- a/sys/net/if_bridgevar.h
+++ b/sys/net/if_bridgevar.h
@@ -142,9 +142,11 @@ struct ifbreq {
 #define	IFBIF_BSTP_AUTOPTP	0x0100	/* member stp autoptp enabled */
 #define	IFBIF_BSTP_ADMEDGE	0x0200	/* member stp admin edge enabled */
 #define	IFBIF_BSTP_ADMCOST	0x0400	/* member stp admin path cost */
+#define	IFBIF_PRIVATE		0x0800	/* if is a private segment */
 
 #define	IFBIFBITS	"\020\001LEARNING\002DISCOVER\003STP\004SPAN" \
-			"\005STICKY\006EDGE\007AUTOEDGE\010PTP\011AUTOPTP"
+			"\005STICKY\014PRIVATE\006EDGE\007AUTOEDGE\010PTP" \
+			"\011AUTOPTP"
 #define	IFBIFMASK	~(IFBIF_BSTP_EDGE|IFBIF_BSTP_AUTOEDGE|IFBIF_BSTP_PTP| \
 			IFBIF_BSTP_AUTOPTP|IFBIF_BSTP_ADMEDGE| \
 			IFBIF_BSTP_ADMCOST)	/* not saved */