Re: Bridge+firewall - possible?

Alan Cox (alan@lxorguk.ukuu.org.uk)
Wed, 9 Dec 1998 15:04:55 +0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gregory Maxwell: "Re: Dumb question: Which is "better" SCSI or IDE disks?"
Previous message: Stephen Thomas: "Re: Strange umount problem under Linux 2.1.131."
In reply to: Jeff Garzik: "Bridge+firewall - possible?"

> After I got everything set up, I found out that Linux bridging layer
> does not go through the packet filter. That makes sense... it's
> ethernet vs IP layers.
>
> My question -- is there any way to set up a packet-filtering bridge
> using Linux? (including coding)

Ok there are two ways to do this

1. You set up a big proxy arp table and actually route it. Thats the
sledgehammer approach but should work fine providing peopel dont
move PCs around (bonus points for writing a listening daemon
that learns where people are and adjusts the proxy arp table)

2. You use the bridging code. You add a pair of calls to the firewall
hooks for something like 'AF_UNSPEC' and you hack a version of the
IP firewall code into an IP/Mac combination firewall. You'll get
packets with skb->data pointing at the mac level, skb->dev giving
the device and skb->dev->type telling you the device type if you
want to try more than ethernet support

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gregory Maxwell: "Re: Dumb question: Which is "better" SCSI or IDE disks?"
Previous message: Stephen Thomas: "Re: Strange umount problem under Linux 2.1.131."
In reply to: Jeff Garzik: "Bridge+firewall - possible?"