Subject: Re: IPFilter'ed Bridge
To: Adam Lebsack <>
From: Pavel Cahyna <>
List: tech-net
Date: 01/17/2003 12:35:32

I wanted to use your patch and discovered it can't work. 

here is a simplified outline of packet input code:

--- cut here ---
ether_input(..... , struct mbuf *m) {
	if (ifp->if_bridge) {
		m = bridge_input(ifp, m);
1:	m_adj(m, sizeof(struct ether_header));

	/* actually invoked in a software interrupt */

ip_input(struct mbuf *m) {
2:	pfil_run_hooks(&inet_pfil_hook, &m, ....);

bridge_input(struct ifnet *ifp, struct mbuf *m) {
	/* your code */
3:	pfil_run_hooks(&inet_pfil_hook, &m, ....);
--- cut here ---

Note that in the normal code path (ether_input->ip_input) the ethernet
header is stripped off by line marked as 1: , so the firewall(s) called
in line 2: receive a mbuf starting by an IP header. But in your code
path, the firewall(s) get a mbuf with the ethernet header (line 3:) instead,
because there is nothing in the code path which would strip the ethernet
header. The firewall does not have any means to detect the type of data
it receives, so it interprets the ethernet header as an IP header.

it would be good maybe to have mbufs somehow typed, so you could determine
what kind of data is in ...

Is my analysis correct? I don't understand how it could have worked for
you. Maybe you have sent a wrong patch?

Bye	Pavel