On Sun, Sep 02, 2001 at 10:42:49PM -0500, Emre Yildirim wrote:

 > I was very happy to see bridging support finally being added to 
 > -current.  Big thanks to Jason Thorpe.
 > My question is:  Can it be used with ipfilter yet, i.e. transparent 
 > bridging & filtering between interfaces?

No, I have not integrated transparent filtering into it yet.  There
are a number of reasons for this.  The biggest reason is that filtering
with IP Filter at that level is simply wrong :-)

There are two problems with using IP Filter in the bridge code:

	(1) You can only filter IP.  You want to be able to filter
	    other things, like Appletalk, etc.

	(2) The way IP Filter expects to have the packet means you
	    have to do some pretty ugly packet frobbing before passing
	    it off to the filter.

	(3) If you are also using IP Filter on the host that is
	    implementing the bridge, you can't use different rule
	    sets for the host and the bridge.

#3 is really the show-stopper.

I'm working on a more generic solution, but it's not as high on my
priority list as some other things (like getting the MP support for
the i386 merged down onto the main branch, and some customer porting
work).

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>