ipfw: layer2 lookup tables

November 23, 2008 by · 2 Comments 

I had an opportunity to spend some extra time improving layer2 filtering.
I’ve extended lookup tables in ipfw to support several layer2 addresses for a single layer3 address/mask. It means that it’s possible to assign mac addresses to network (in case ip’s are dynamically distributed by dhcp or whatever). Besides, wildcard ip address ‘any’ is supported, and entries with wildcard ip can be used for layer2 filtering.

For example:

ipfw table 1 add 192.168.1.0/24 ether 00:11:11:11:11:11
ipfw table 1 add 192.168.1.0/24 ether 00:22:22:22:22:22
ipfw table 1 add 192.168.1.0/24 ether 00:33:33:33:33:33

# equivalent to: ipfw table 2 add any ether ...
ipfw table 2 add ether 00:11:11:11:11:11
ipfw table 2 add ether 00:22:22:22:22:22
ipfw table 2 add ether 00:33:33:33:33:33
ipfw table 2 add ether ff:ff:ff:ff:ff:ff

ipfw add 1000 allow ip from 'table(2)' to 'table(2)' layer2

# layer3
ipfw add 2000 allow ip from 'table(1)' to 'table(1)'

About gleb

Comments

2 Responses to “ipfw: layer2 lookup tables”
  1. WOW!!! says:

    Hi, man!
    How you do it? Can you send me patch for it or some instructin how to do it?

    Thanks!