diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-10-17 11:42:07 -0500 |
|---|---|---|
| committer | Luiz Souza <luiz@netgate.com> | 2017-07-14 14:42:30 -0500 |
| commit | e109da84ad0d8dee6a9ac0874f031644409ab8da (patch) | |
| tree | edc3e9f2abc0930524b6ae903733c82fc93f668a /sys/netpfil/ipfw/ip_fw2.c | |
| parent | 5460e9cd463e7b582a2f721e487c92a97262bb2c (diff) | |
| download | FreeBSD-src-e109da84ad0d8dee6a9ac0874f031644409ab8da.zip FreeBSD-src-e109da84ad0d8dee6a9ac0874f031644409ab8da.tar.gz | |
Add ipfw support to MAC address tables.
The l2 filter implementation on ipfw works with MAC address pairs as it happens on wire (first destination and then source).
The table entries works in the same way, but the MAC address pair has to be passed in a single argument:
$ ipfw table create l2 type mac
$ ipfw table add "00:01:02:03:04:05 0a:0b:0c:0d:0e:0f"
added: 00:01:02:03:04:05 0a:0b:0c:0d:0e:0f 0
$ ipfw table add "00:01:02:03:04:05 any"
added: 00:01:02:03:04:05 any 0
$ ipfw table l2 add "any 0a:0b:0c:0d:0e:0f"
added: any 0a:0b:0c:0d:0e:0f 0
The MAC tables can also hold an optinal value used to implement additional features (skipto, fib, pipe, tag, nat, ...).
$ ipfw table l2 add "00:01:02:03:04:05 0a:0b:0c:0d:0e:ff" 1234
added: 00:01:02:03:04:05 0a:0b:0c:0d:0e:ff 1234
$ ipfw table l2 list
--- table(l2), set(0) ---
00:01:02:03:04:05 0a:0b:0c:0d:0e:0f 0
any 0a:0b:0c:0d:0e:0f 0
00:01:02:03:04:05 any 0
00:01:02:03:04:05 0a:0b:0c:0d:0e:ff 1234
Rule example:
$ ipfw add pass MAC 1:2:3:4:5:6 2:3:4:5:6:7 via igb0
00100 allow ip from any to any MAC 01:02:03:04:05:06 02:03:04:05:06:07 via igb0
$ ipfw add pass MAC table\(l2\) via igb0
00000 allow ip from any to any MAC table(l2) via igb0
$ ipfw list
00100 allow ip from any to any MAC 01:02:03:04:05:06 02:03:04:05:06:07 via igb0
00200 allow ip from any to any MAC table(l2) via igb0
00300 allow ip from any to any
65535 deny ip from any to any
(cherry picked from commit 1fc9408b335ef6e8863019212c12a4bc99ed8e75)
Diffstat (limited to 'sys/netpfil/ipfw/ip_fw2.c')
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index a66d5e7..1228f47 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -1388,6 +1388,18 @@ do { \ chain, &tablearg); break; + case O_MACADDR2_LOOKUP: + if (args->eh != NULL) { /* have MAC header */ + uint32_t v = 0; + match = ipfw_lookup_table_extended(chain, + cmd->arg1, 0, args->eh, &v); + if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) + match = ((ipfw_insn_u32 *)cmd)->d[0] == v; + if (match) + tablearg = v; + } + break; + case O_MACADDR2: if (args->eh != NULL) { /* have MAC header */ u_int32_t *want = (u_int32_t *) |
