Re: brconfig and ARP

[Tillman <tillman@hodgsonhouse.com>]

On Thu, Mar 01, 2001 at 03:31:58PM -0500, Jason Wright wrote:
> On Thu, Mar 01, 2001 at 01:43:50PM -0600, Tillman wrote:
> > With more reflection, I now think that this would properly belong in ipf.
> > While ARP is specific to certain mediums (and thus doesn't make sense in a
> > higher level filter like ipf), bridge already knows how to pass things up to
> > ipf for filtering so it would be cleaner to filter it there. 
> > 
> True, and I've been thinking about extending the 'rule' interface
> for bridges, but several things have stopped me:
> 	1. handling both SNAP encapsulation and DIX encapsulation (grr)
> 	2. coming up with a syntax that applies to both
> 	3. time to implement a rule parser and checker
> 
> I think if I extended the rule interface to allow blocking by protocol
> number, you could accomplish your goal (block the arp's on the external
> interface and run choparp there, which will intercept and respond when
> necessary because it uses bpf), and I don't think this would take
> very long.

That would work. It's not the greatest in terms of rule integration (seperate
config for choparp and all), but if it gives functionality that doesn't exist
now, who am I to complain? ;-)

- Tillman