On 28/08/2019 24:45, Eugene Grosbein wrote:
28.08.2019 3:59, Victor Gamov wrote:
sysctl.conf ===== net.link.ether.ipfw=1 net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=1 net.link.bridge.pfil_member=1
net.inet.ip.fw.verbose_limit=100 net.inet.ip.fw.verbose=1
=====
Do you really use ipfw filtering based on layer2 parameters like
MAC addresses? If not, you should disable net.link.ether.ipfw. If
yes, you should use "layer2" keyword explicily in rules filtering
by ethernet headers and place these rules above others and use
"allow ip from any to any layer2" after L2 filtering is done, so
L2 packets do not go through other rules extra time.
Do you really need to filter each bridged L3 packet twice? Once
as "out xmit $bridge" and once as "out xmit $brige_member"? If
not, you should disable net.link.bridge.ipfw and keep
net.link.bridge.pfil_member=1 only.
Packets must be filtered on input VLANs (bridge members) and on
output VLANs. So net.link.bridge.pfil_member=1
Perhaps, you are ruining the performance with such settings
making same work 3 times without real need. Do you really need
filtering ARP? Disable net.link.bridge.ipfw_arp if not.
I need to drop ARP moving via bridge. As I use many VLANs all VLAN
must be isolated and only multicast must be bridged from one VLAN
to others. To block ARP following rule used: deny ip from any to
any mac-type 0x0806 via bridge1202 As I understand correctly I need
net.link.bridge.ipfw_arp and net.link.bridge.ipfw to do it. I'm
not sure about net.link.ether.ipfw
Why do you need to filter ARP on bridge? That's unusial. VLANs are
isolated by default and by definition, unless you explicitly enable
inter-vlan routing and setup your routing table.
May be I have some misunderstood here but... If I have many VLANs
bridged via bridge interface then ARP received from one VLAN will be
send to all bridge members. So it will be send to all unwanted VLANs.
Is it correct?
Anyway, you can skip entire ipfw pass over a bridge because you
filter its members anyway, so just drop ARP coming from any vlan with
exception of controlling one:
allow ip from any to any layer2 mac-type 0x0806 in recv $controlvlan
deny ip from any to any layer2 mac-type 0x0806 in allow ip from any
to any layer2
And then disable filtering for bridge itself altogether. Decreasing
number of passes over ipfw should be your top priority because that's
what can provide you with most benefit. You should even rewrite your
ruleset if that is needed to achieve this goal.
If I set net.link.bridge.ipfw=0 but net.link.ether.ipfw and
net.link.bridge.ipfw still set to 1 is it still possible block unwanted
ARP received from one VLAN and bridged to other on outgoing VLAN like
deny ip from any to any layer2 mac-type 0x0806 out xmit MAC not $mymac any
Is it correct and more effective than net.link.bridge.ipfw=1 if I have
"deny mac-type 0x0806 via bridge" at rules top?
--
CU,
Victor Gamov
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
