Subject: Re: bridged interfaces? (for ipfilter)
To: Andrew Brown <twofsonet@graffiti.com>
From: Stefan Grefen <grefen@hprc.tandem.com>
List: tech-net
Date: 09/09/1998 10:16:09
In message <19980908223335.A20791@noc.untraceable.net> Andrew Brown wrote:
> On Tue, Sep 08, 1998 at 01:33:22AM -0700, Michael Graff wrote:
> >Stefan Grefen <grefen@hprc.tandem.com> writes:
> >
> >> Hmm man 5 ipf says there is the "to" keyword which allows you to switch
> >> packets directly to an interface bypassing the routing code.
> >> (this -current )
> >>
> >> This should do the trick for IP-based protocols.
> >
> >Except that the NetBSD machine won't usually get the packets unless you
> >also fake ARP requests. And now you're not a bridge, or at least not
> >a transparent one.
>
> well...wouldn't bridging the non-ip protocols via the bpf include arp
> requests/replies? wouldn't that make you pretty transparent?
You can filter the stuff for IP-arps even in the bpf-rules (the IP packets
must be dropped anyway),
Is running trough a user process anyway, so if you're lazy you can put the
filter there.
Stefan
>
> --
> |-----< "CODE WARRIOR" >-----|
> codewarrior@daemon.org * "ah! i see you have the internet
> twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
> warfare@graffiti.com * "information is power -- share the wealth."
--
Stefan Grefen Tandem Computers Europe Inc.
grefen@hprc.tandem.com High Performance Research Center
--- Hacking's just another word for nothing left to kludge. ---