Dear subscribers of the list,the scenario requires packets for one of the tagged VLANs to be copied in span mode, still tagged, to epair(4) interface for feeding IDS inside, but at least one additional vlan(4) inside the jail is required to provide network connectivity for the jail.
With a simple hack[1] of if_bridge(4) it's possible to have epair(4) interface being a member and a span port at once, so now I have:
bridge0: everything *--> epair0 | jail --> vlan1499 --> IDS
bridge0: vlan 1000 <--> epair0 | jail <-> vlan1000 <-> host accessThe drawback of this solution is using patched sources and having duplicated packets for vlan1000 inside the jail, but the desired state is:
vlan 1499 *--> epair0 vlan 1000 <--> epair0Any suggestions on how to make it work with netgraph(3) will be warmly appreciated.
[1] https://cgit.freebsd.org/src/tree/sys/net/if_bridge.c#n1206 Cheers -- Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
