Quoting Stuart Henderson <s...@spacehopper.org>:
On 2009-01-20, Guido Tschakert <guido.tschak...@src-gmbh.de> wrote:
first thing: I do not have any experience with multicast traffic.
But what you have build seems very strange to me. First you use vlan to
separate the networks an then you put them alltogether with a bridge.
I do not see the use of the vlans.
It can indeed be useful to do this, even without multicast traffic
in the equation. You might want to filter traffic between machines in
the same subnet, and this is a way you can do it.
Key Aavoja schrieb:
PF config:
block out on bnx1 all
block out on vlan1100 all
block out on vlan1101 all
block out on vlan1102 all
block out on vlan1103 all
block out on vlan1104 all
block out on vlan1105 all
block out on vlan1106 all
block out on vlan1107 all
block out on vlan1108 all
pass out quick on vlan1101 proto udp from any to 239.16.1.1
pass out quick on vlan1102 proto udp from any to 239.16.1.2
pass out quick on vlan1103 proto udp from any to 239.16.1.3
Wishful thinking, what the result should be:
All multicast streams are available on vlan1100 and recieved via
"bnx0/vlan1100". Bridge should stream the multicast packets to what
ever vlan - its the place where pf should help. Stream: 239.16.1.1
should be available only on vlan1101, and 239.16.1.2 avialable on
vlan1102 and so on.
.
Real Result:
Stream 239.16.1.1 is available on all three vlans: 11101,1102,1103 -
same thing happens with other two streams (239.16.1.2, 239.16.1.3)
It's really weird what's going on or did I understood something wrong
and configuration is not correct?
you should check the simple things first.
- is PF enabled? pfctl -si
PF is enabled, btw removing the last three rules the whole mcast
traffic is diabled - for testing I have 10 streams as input but trying
to allow only three.
- is the ruleset loaded correctly? pfctl -sr
yes this command shows that all rules are loaded
- does it correctly block ordinary non-multicast traffic between
the vlans? if you did indeed include your whole PF config in your
email, only that particular multicast traffic should pass between
the vlans, everything else should be blocked.
I pasted here 100% of pf config, this non-multicast traffic needs to
be tested, tomorrow I will do that.
you might have already done this, but if you did, you should have
mentioned in your email what you checked.
with a routed (not bridged) environment, PF is able to control
multicast traffic in either direction (I just tried).
from my reading of if_bridge.c, on a bridge, pf filtering for
multicast frames only happens _inbound_. multicast frames sent
_out_ through a bridge are not subject to the outbound PF filter
rules.
bridge MAC filter rules _are_ applied outbound for multicast
frames, I haven't tested but I think that will give you a way
you can restrict this traffic.
