>Submitter-Id: current-users
>Originator: Joost Bekkers
>Organization:
>Confidential: no
>Synopsis: bridge/firewall doesn't work as in bridge(4)
>Severity: serious
>Priority: medium
>Category: kern
>Release: FreeBSD 4.2-RELEASE i386
>Class: sw-bug
>Environment:
4.2 RELEASE with the options BRIDGE and IPFIREWALL.
>Description:
When using a kernel with BRIDGE and IPFIREWALL and not
IPFIREWALL_DEFAULT_TO_ACCEPT, bridge(4) states all non-ip
packets will not be forwarded. This is not true! All non-ip
packets will be forwarded regardless of the firewall.
>How-To-Repeat:
make a kernel with BRIDGE and IPFIREWALL. generate non-ip
(like arp or ipx) traffic and notice how it passes through
the bridge.
>Fix:
I've added some options to make the bridge/firewall combo usefull.
# $FreeBSD: src/sys/conf/options,v 1.191.2.20 2000/11/16 17:28:30 archie Exp $
*** conf/options~ Thu Dec 21 20:06:38 2000
--- conf/options Thu Dec 21 13:04:05 2000
***************
*** 220,225 ****
--- 220,228 ----
BOOTP_NFSV3 opt_bootp.h
BOOTP_WIRED_TO opt_bootp.h
BRIDGE opt_bdg.h
+ BRIDGE_IP_ONLY opt_bdg.h
+ BRIDGE_ALLOW_ARP opt_bdg.h
+ BRIDGE_ALLOW_RARP opt_bdg.h
ETHER_II opt_ef.h
ETHER_8023 opt_ef.h
ETHER_8022 opt_ef.h
* $FreeBSD: src/sys/net/bridge.c,v 1.16.2.6 2000/09/25 17:30:01 nsayer Exp $
*** net/bridge.c~ Thu Dec 21 20:04:45 2000
--- net/bridge.c Thu Dec 21 20:44:41 2000
***************
*** 56,61 ****
--- 56,71 ----
* option BRIDGE
* and then at runtime set the sysctl variable to enable bridging.
*
+ * If you want to combine a bridge with a firewall:
+ * option IPFIREWALL
+ * and since it usualy doesn't make a lot of sense to block ip and
+ * let all the other protocols pass freely, use
+ * option BRIDGE_IP_ONLY
+ * And because arp (and sometimes rarp) can be extremely usefull in
+ * an ip network
+ * option BRIDGE_ALLOW_ARP
+ * option BRIDGE_ALLOW_RARP
+ *
* Only one interface is supposed to have addresses set (but
* there are no problems in practice if you set addresses for more
* than one interface).
***************
*** 91,96 ****
--- 101,107 ----
#include "opt_ipfw.h"
#include "opt_ipdn.h"
+ #include "opt_bdg.h"
#if defined(IPFIREWALL)
#include <net/route.h>
***************
*** 445,450 ****
--- 456,474 ----
bzero(ifp2sc, BDG_MAX_PORTS * sizeof(struct bdg_softc) );
bzero(&bdg_stats, sizeof(bdg_stats) );
+ /* added by bps */
+ printf("BRIDGING ENABLED"
+ #ifdef BRIDGE_IP_ONLY
+ " protocols ip"
+ #ifdef BRIDGE_ALLOW_ARP
+ ",arp"
+ #endif
+ #ifdef BRIDGE_ALLOW_RARP
+ ",rarp"
+ #endif
+ " only"
+ #endif
+ "\n");
bdgtakeifaces();
bdg_timeout(0);
do_bridge=0;
***************
*** 658,663 ****
--- 682,688 ----
struct ip_fw_chain *rule = NULL ;
int off;
struct ip *ip ;
+ u_short frame_type;
m = *m0 ;
#ifdef DUMMYNET
***************
*** 678,685 ****
--- 703,729 ----
goto forward ;
if (src == NULL)
goto forward ; /* do not apply to packets from ether_output */
+ frame_type=ntohs(eh->ether_type);
+ #ifdef BRIDGE_ALLOW_ARP
+ if (frame_type == ETHERTYPE_ARP)
+ goto forward ; /* BRIDGE_ALLOW_ARP is defined, so forward arp */
+ #endif
+ #ifdef BRIDGE_ALLOW_RARP
+ if (frame_type == ETHERTYPE_REVARP)
+ goto forward ; /* BRIDGE_ALLOW_RARP is defined, so forward rarp */
+ #endif
if (ntohs(eh->ether_type) != ETHERTYPE_IP)
+ #ifdef BRIDGE_IP_ONLY /* we're bridging IP (and maybe arp/rarp) only */
+ {
+ if (canfree) {
+ m_freem(*m0) ;
+ *m0 = NULL ;
+ }
+ return 0;
+ }
+ #else /* we're bridging everything */
goto forward ; /* not an IP packet, ipfw is not appropriate */
+ #endif
/*
* In this section, canfree=1 means m is the same as *m0.
* canfree==0 means m is a copy. We need to make a copy here
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
