Page MenuHomeFreeBSD

ipfw: add dst-mac/src-mac shorthands to do filtering based on source/destination MAC
AbandonedPublic

Authored by nc on Mar 26 2020, 2:06 AM.
Referenced Files
Unknown Object (File)
Jan 14 2024, 6:59 PM
Unknown Object (File)
Dec 23 2023, 8:30 AM
Unknown Object (File)
Nov 9 2023, 8:34 AM
Unknown Object (File)
Nov 4 2023, 7:29 PM
Unknown Object (File)
Nov 3 2023, 12:17 PM
Unknown Object (File)
Nov 1 2023, 5:10 AM
Unknown Object (File)
Oct 30 2023, 2:03 PM
Unknown Object (File)
Oct 3 2023, 7:25 PM
Subscribers

Details

Reviewers
ae
melifaro
donner
rgrimes
Group Reviewers
manpages
Summary

ipfw: add dst-mac/src-mac shorthands to do filtering based on source/destination MAC.

This is similar to the ipfw mac command, but assumes the other side is any.

Submitted by: Neel Chauhan <neel AT neelc DOT org>

Test Plan

Look at the command example.

# sysctl net.link.ether.ipfw=1
net.link.ether.ipfw: 0 -> 1
# ipfw add 2000 deny dst-mac 00:01:02:03:04:05
02000 deny MAC any 00:01:02:03:04:05
root@spectre:/home/neel # ping 1.1.1.1
...
1 packets transmitted, 0 packets received, 100.0% packet loss
# ipfw del 2000
ipfw: DEPRECATED: 'del' matched 'delete' as a sub-string
# ping 1.1.1.1
...
1 packets transmitted, 1 packets received, 0.0% packet loss
...
#

No unit test is given, for the reason that they caused a kernel panic from IPFW Layer 2 and vnet jails.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

sbin/ipfw/ipfw2.c
3431–3432

or simply

bzero(addr, ETHER_ADDR_LEN);
bzero(mask, ETHER_ADDR_LEN);
3575–3577

Why is this inverted (get -> set), while the other case is (set -> get)?

nc marked 2 inline comments as done.Mar 26 2020, 4:31 PM
nc added inline comments.
sbin/ipfw/ipfw2.c
3431–3432

Makes a lot of sense, thanks!

3575–3577

Accidental mistake, sorry.

nc marked 2 inline comments as done.

Revised patch including Lutz's suggestions.