Layer-3 Filtering

  Before frames are forwarded, they are filtered by calling one of the ipf routines with the frame to be processed. This allows for standard filtering rules to be applied to bridge member interfaces as they would be for normal routed firewall. Rules are applied to all incoming frames that contain IP traffic and are bound to each member interface.

The ipf routines expect an IP packet to be passed to them, but the bridge operates in terms of ethernet frames. The ethernet header is examined to determine whether the frame contains an IP packet. Since there are two possible encapsulation methods for IP over ethernet, both must be examined and the appropriate amount of header information must be copied and removed from the frame, leaving the IP data intact. The resulting packet is passed to ipf, which either drops the packet or returns it. Packets that are not filtered have their ethernet headers re-attached and are finally forwarded as determined by the bridge. Using this approach, we avoided having to modify ipf code at all.