I use ipfw firewall with settings: In Kernel: options IPDIVERT options IPFIREWALL options IPFIREWALL_FORWARD sysctl: net.inet.ip.forwarding=1 net.link.ether.ipfw=1 The problem: I have a rule in my firewall: 1000 allow ip from any to any layer2 in MAC any any and when an incoming packet matches this rule it is passed further to the next rule. 'ipfw show' shows, that the packet was matched by this rule and then passed to the next rule. As described in 'man ipfw' the packet should be accepted by this rule and the search should be terminated, but this doesn't happen.
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s).
> net.link.ether.ipfw=1 > 1000 allow ip from any to any layer2 in MAC any any You don't show the next rule mentioned, but with net.link.ether.ipfw=1 (and not bridging) the packet traverses the ruleset up to four times. Your rule 1000 accepts the packet when invoked from ether_demux. When the packet (thus) gets to ip(6)_input the ruleset is run again at layer 3 (IP), which rule 1000 does not match. It may match any next rule that is not explicitly layer2. You'll similarly need to pass layer2 packets going 'out', after passing them at layer3. man ipfw /PACKET FLOW cheers, Ian
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped