Submitter-Id: current-users
Originator: Joost Bekkers
Organization:
Confidential: no
Synopsis: bridge/firewall doesn't work as in bridge(4)
Severity: serious
Priority: medium
Category: kern
Release:FreeBSD 4.2-RELEASE i386
Class: sw-bug
Environment:
4.2 RELEASE with the options BRIDGE and IPFIREWALL.
Description:
When using a kernel with BRIDGE and IPFIREWALL and not
IPFIREWALL_DEFAULT_TO_ACCEPT, bridge(4) states all non-ip
packets will not be forwarded. This is not true! All non-ip
packets will be forwarded regardless of the firewall.
How-To-Repeat:
make a kernel with BRIDGE and IPFIREWALL. generate non-ip
(like arp or ipx) traffic and notice how it passes through
the bridge.
Fix:
I've added some options to make the bridge/firewall combo usefull.
# $FreeBSD: src/sys/conf/options,v 1.191.2.20 2000/11/16 17:28:30 archie Exp $
*** conf/options~ Thu Dec 21 20:06:38 2000
--- conf/optionsThu Dec 21 13:04:05 2000
***
*** 220,225
--- 220,228
BOOTP_NFSV3 opt_bootp.h
BOOTP_WIRED_TOopt_bootp.h
BRIDGEopt_bdg.h
+ BRIDGE_IP_ONLYopt_bdg.h
+ BRIDGE_ALLOW_ARP opt_bdg.h
+ BRIDGE_ALLOW_RARP opt_bdg.h
ETHER_II opt_ef.h
ETHER_8023opt_ef.h
ETHER_8022opt_ef.h
* $FreeBSD: src/sys/net/bridge.c,v 1.16.2.6 2000/09/25 17:30:01 nsayer Exp $
*** net/bridge.c~ Thu Dec 21 20:04:45 2000
--- net/bridge.cThu Dec 21 20:44:41 2000
***
*** 56,61
--- 56,71
*option BRIDGE
* and then at runtime set the sysctl variable to enable bridging.
*
+ * If you want to combine a bridge with a firewall:
+ *option IPFIREWALL
+ * and since it usualy doesn't make a lot of sense to block ip and
+ * let all the other protocols pass freely, use
+ *option BRIDGE_IP_ONLY
+ * And because arp (and sometimes rarp) can be extremely usefull in
+ * an ip network
+ *option BRIDGE_ALLOW_ARP
+ *option BRIDGE_ALLOW_RARP
+ *
* Only one interface is supposed to have addresses set (but
* there are no problems in practice if you set addresses for more
* than one interface).
***
*** 91,96
--- 101,107
#include "opt_ipfw.h"
#include "opt_ipdn.h"
+ #include "opt_bdg.h"
#if defined(IPFIREWALL)
#include net/route.h
***
*** 445,450
--- 456,474
bzero(ifp2sc, BDG_MAX_PORTS * sizeof(struct bdg_softc) );
bzero(bdg_stats, sizeof(bdg_stats) );
+ /* added by bps */
+ printf("BRIDGING ENABLED"
+ #ifdef BRIDGE_IP_ONLY
+" protocols ip"
+ #ifdef BRIDGE_ALLOW_ARP
+",arp"
+ #endif
+ #ifdef BRIDGE_ALLOW_RARP
+",rarp"
+ #endif
+" only"
+ #endif
+ "\n");
bdgtakeifaces();
bdg_timeout(0);
do_bridge=0;
***
*** 658,663
--- 682,688
struct ip_fw_chain *rule = NULL ;
int off;
struct ip *ip ;
+ u_short frame_type;
m = *m0 ;
#ifdef DUMMYNET
***
*** 678,685
--- 703,729
goto forward ;
if (src == NULL)
goto forward ; /* do not apply to packets from ether_output */
+ frame_type=ntohs(eh-ether_type);
+ #ifdef BRIDGE_ALLOW_ARP
+ if (frame_type == ETHERTYPE_ARP)
+ goto forward ; /* BRIDGE_ALLOW_ARP is defined, so forward arp */
+ #endif
+ #ifdef BRIDGE_ALLOW_RARP
+ if (frame_type == ETHERTYPE_REVARP)
+ goto forward ; /* BRIDGE_ALLOW_RARP is defined, so forward rarp */
+ #endif
if (ntohs(eh-ether_type) != ETHERTYPE_IP)
+ #ifdef BRIDGE_IP_ONLY /* we're bridging IP (and maybe arp/rarp) only */
+ {
+ if (canfree) {
+ m_freem(*m0) ;
+ *m0 = NULL ;
+ }
+ return 0;
+ }
+ #else /* we're bridging everything */
goto forward ; /* not an IP packet, ipfw is not appropriate */
+ #endif
/*
* In this section, canfree=1 means m is the same as *m0.
* canfree==0 means m is a copy. We need to make a copy here
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
