Bruce, > >In my case if_bridge drops off the packet because firewall fails to > >recognize the packet as good: the interface that is passed to a > >pfil_hooks is bad (I mean not the one expected). > > > The ifp which your patch changes is that of the mbuf chain when bridge_input >determines it is not for the bridge, but should be forwarded locally. The patch > forces a locally forwarded frame to have the same ifp as it had when it came > into bridge_input. I can foresee problems if the same Ethernet destination > address exists on multiple bridge member interfaces.
The code in the if_bridge.c changes the ifp anyway: I am just setting the ifp to a more sane value. > NetBSD consistently uses pfil_hooks for the if_bridge *and* ether_input > paths, > FreeBSD currently calls ipfw directly for ether_input, which may make a > difference to the behaviour which you are seeing with VLANs. I am awfully sorry, but you're seem to be mistaken: if_bridge calls the ipfw directly only for the L2 filtering (when the net.link.bridge.ipfw is set to 1). This is processed by the block in if_bridge just above to the 'ipfwpass' label. But the L3 filtering is done fully by the pfil hooks, as I understand the code. Moreover, I am using 'pf' in my case, not the ipfw. >Not understanding if_bridge fully, or the coupling of ipfw with if_ethersubr.c, >I would hope that Andrew and others have more to say on this. I am too ;)) Thank you! -- Eygene _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
