Page MenuHomeFreeBSD

ipfw: add dst-mac/src-mac shorthands to do filtering based on source/destination MAC
Needs ReviewPublic

Authored by neel_neelc.org on Thu, Mar 26, 2:06 AM.

Details

Reviewers
ae
melifaro
lutz_donnerhacke.de
Group Reviewers
manpages
Summary

ipfw: add dst-mac/src-mac shorthands to do filtering based on source/destination MAC.

This is similar to the ipfw mac command, but assumes the other side is any.

Submitted by: Neel Chauhan <neel AT neelc DOT org>

Test Plan

Look at the command example.

# sysctl net.link.ether.ipfw=1
net.link.ether.ipfw: 0 -> 1
# ipfw add 2000 deny dst-mac 00:01:02:03:04:05
02000 deny MAC any 00:01:02:03:04:05
root@spectre:/home/neel # ping 1.1.1.1
...
1 packets transmitted, 0 packets received, 100.0% packet loss
# ipfw del 2000
ipfw: DEPRECATED: 'del' matched 'delete' as a sub-string
# ping 1.1.1.1
...
1 packets transmitted, 1 packets received, 0.0% packet loss
...
#

No unit test is given, for the reason that they caused a kernel panic from IPFW Layer 2 and vnet jails.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

neel_neelc.org created this revision.Thu, Mar 26, 2:06 AM
neel_neelc.org edited the test plan for this revision. (Show Details)Thu, Mar 26, 2:07 AM
sbin/ipfw/ipfw2.c
3431–3432

or simply

bzero(addr, ETHER_ADDR_LEN);
bzero(mask, ETHER_ADDR_LEN);
3575–3577

Why is this inverted (get -> set), while the other case is (set -> get)?

neel_neelc.org marked 2 inline comments as done.Thu, Mar 26, 4:31 PM
neel_neelc.org added inline comments.
sbin/ipfw/ipfw2.c
3431–3432

Makes a lot of sense, thanks!

3575–3577

Accidental mistake, sorry.

neel_neelc.org marked 2 inline comments as done.

Revised patch including Lutz's suggestions.