Reputation: 71
Will Netmap bridging break ipfw rule on FreeBSD
I am working on setup a netmap enabled (high performance bridging firewall).
The question is if i am using netmap's bridging tools to bridge em0 and em1, and setup ipfw rules to block some kinds traffic on one em0, will it works?
the kernel bridging is works fine with ipfw but its slow(not netmap enabled), my worry is if it short circle the firewall rules, if i look at the implementation, it doesn't do anything about packet filtering, just once em0 received packets it will forward to em1 immediately
the netmap bridging tools is bridge.c
Upvotes: 0
Views: 646
Answers (1)
Reputation: 5648
https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4
While a NIC is in netmap mode, the OS will still believe the interface is up and running. OS-generated packets for that NIC end up into a netmap ring, and another ring is used to send packets into the OS network stack. A close(2) on the file descriptor removes the binding, and returns the NIC to normal mode (reconnecting the data path to the host stack), or destroys the virtual port.
NICs without native support can still be used in netmap mode through emu-
lation. Performance is inferior to native netmap mode but still signifi-
cantly higher than sockets, and approaching that of in-kernel solutions
such as Linux's pktgen.
PS:
You can do bridging and filtering with ng_ipfw + ng_bridge - it's a fast kernel based solution
Upvotes: 0
Related Questions
- How to block based on Mac address on FreeBsd? (ipfw firewall)
- add custom port forward rule to ipfw on freebsd
- FreeBSD ipfw & natd redirect_address
- IPFW - Ruleset by default
- FREEBSD IPFW - Add/Remove rule
- Is it possible to discard incoming packets based on (a dynamically changing set of) IP address(es) on Linux from C/C++ code?
- FreeBSD IPFW add an IP to table
- Linux libnetfilter_queue delayed packet problem