[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Kolia <nika at hotmail dot ge>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Transparent bridge
 Date:  Thu, 15 Jul 2004 15:43:44 +0200
On 15.07.2004 17:00 +0400, Kolia wrote:

> Finally I found the bug in the '/etc/inc/filter.inc' that was
> causing lock-up of m0n0wall while putting OPT1 interface in the
> bridge mode. Look at this code in the 'filter_rules_generate()'
> function:
> ......
>        /* OPT spoof check */
>        foreach ($optcfg as $on => $oc) {
>                $ipfrules .=
> filter_rules_spoofcheck_generate($on,$oc['if'], $oc['sa'],
> $oc['sn'], $log);
>        }
> ......

Wait, it's not that easy. Have a look at the code in
filter_rules_generate() that fills in $optcfg. For bridged
interfaces, the IP address/subnet mask of the interface that the
interface is bridged to is filled in 'ip'/'sn'. If you get empty
values for 'ip'/'sn', that means that the bridge target interface
itself isn't configured properly with an IP address/subnet mask. This
can only happen if it is also bridged, or simply disabled. The former
case is checked by the webGUI, but not the latter.

So that would mean that you probably bridged an interface to another
interface that was currently disabled? Is that possible?

> ......
> /* OPT spoof check */
>        foreach ($optcfg as $on => $oc) {
>                if ( !$oc['bridge']) //No spoof check is necessary
> for bridged interfaces
>                        $ipfrules .=
> filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'],
> $oc['sn'], $log);
>        }
> ......

...which would probably break the filtered bridging. Instead the code
should check to make sure that the bridge target interface is
actually enabled. I'll add that to the next release.

Thanks for giving me a hint there!

- Manuel