Will Netmap bridging break ipfw rule on FreeBSD

Question

I am working on setup a netmap enabled (high performance bridging firewall).

The question is if i am using netmap's bridging tools to bridge em0 and em1, and setup ipfw rules to block some kinds traffic on one em0, will it works?

the kernel bridging is works fine with ipfw but its slow(not netmap enabled), my worry is if it short circle the firewall rules, if i look at the implementation, it doesn't do anything about packet filtering, just once em0 received packets it will forward to em1 immediately

the netmap bridging tools is bridge.c

Answer 1

https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4

While a NIC is in netmap mode, the OS will still believe the interface is up and running. OS-generated packets for that NIC end up into a netmap ring, and another ring is used to send packets into the OS network stack. A close(2) on the file descriptor removes the binding, and returns the NIC to normal mode (reconnecting the data path to the host stack), or destroys the virtual port.

 NICs without native support can still be used in netmap mode through emu-
 lation. Performance is inferior to native netmap mode but still signifi-
 cantly higher than sockets, and approaching that of in-kernel solutions
 such as Linux's pktgen.

PS:

You can do bridging and filtering with ng_ipfw + ng_bridge - it's a fast kernel based solution