diff options
| -rw-r--r-- | share/man/man4/if_bridge.4 | 11 | ||||
| -rw-r--r-- | sys/net/if_bridge.c | 20 |
2 files changed, 30 insertions, 1 deletions
diff --git a/share/man/man4/if_bridge.4 b/share/man/man4/if_bridge.4 index 6daf89c..8fdc09b 100644 --- a/share/man/man4/if_bridge.4 +++ b/share/man/man4/if_bridge.4 @@ -185,6 +185,13 @@ to enable filtering on the bridge interface, set to .Li 0 to disable it. +.It Va net.link.bridge.pfil_local_phys +Set to +.Li 1 +to additionally filter on the physical interface for locally destined packets. +Set to +.Li 0 +to disable this feature. .It Va net.link.bridge.ipfw Set to .Li 1 @@ -310,7 +317,9 @@ that are doing IP-forwarding; in some of such cases it is better to assign the IP address only to the .Nm interface and not to the bridge members. -But your mileage may vary. +Enabling +.Va net.link.bridge.pfil_local_phys +will let you do the additional filtering on the physical interface. .Sh EXAMPLES The following when placed in the file .Pa /etc/rc.conf diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 6c96cbb..e464d96 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -340,6 +340,8 @@ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */ static int pfil_member = 1; /* run pfil hooks on the member interface */ static int pfil_ipfw = 0; /* layer2 filter with ipfw */ static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */ +static int pfil_local_phys = 0; /* run pfil hooks on the physical interface for + locally destined packets */ static int log_stp = 0; /* log STP state changes */ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); @@ -349,6 +351,9 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW, &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, &pfil_member, 0, "Packet filter on the member interface"); +SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW, + &pfil_local_phys, 0, + "Packet filter on the physical interface for locally destined packets"); SYSCTL_INT(_net_link_bridge, OID_AUTO, log_stp, CTLFLAG_RW, &log_stp, 0, "Log STP state changes"); @@ -2070,6 +2075,21 @@ bridge_input(struct ifnet *ifp, struct mbuf *m) if (memcmp(eh->ether_dhost, IF_LLADDR(bifp), ETHER_ADDR_LEN) == 0) { /* + * Filter on the physical interface. + */ + if (pfil_local_phys && (PFIL_HOOKED(&inet_pfil_hook) +#ifdef INET6 + || PFIL_HOOKED(&inet6_pfil_hook) +#endif + )) { + if (bridge_pfil(&m, NULL, ifp, PFIL_IN) != 0 || + m == NULL) { + BRIDGE_UNLOCK(sc); + return (NULL); + } + } + + /* * If the packet is for us, set the packets source as the * bridge, and return the packet back to ether_input for * local processing. |
