FreeBSD bridge + filtering, BIG problem
Pyun YongHyeon
yongari at kt-is.co.kr
Thu Dec 2 00:59:03 PST 2004
On Thu, Dec 02, 2004 at 09:17:13AM +0100, Jeremie Le Hen wrote:
> > Both pf/ipf should see inbound/outbound traffic in order to
> > create states. But in bridge(4), pfil(9) hook for outbound packet
> > is absent. ipfw can create states without seeing outbound packet.
> > Maybe it would be authors intention to reduce overhead by not
> > checking packets in both directions.
> >
> > I guess ipfw can't filter outbound packet in bridged setup too.
> >
> > Long time ago, I wrote a patch to add pfil(9) outbound hook
> > in bridge setup. The patch makes pf's scrub rule work too.
> > It wouldn't apply to 5.3R but you can see the point.
> >
> > http://www.kr.freebsd.org/~yongari/patches/bridge.patch
>
> Could we hope to see this patch merged some day ? Are there major
> drawbacks with this pfil outbound hook in bridge setup ? At first
AFAIK, none. If ipfw don't want to handle outbound traffic as it
was before, it can do that without registering outbound hook.
> glance, it seems to be cool that pf and ipf perform the same while in
> routing or bridging mode.
>
I guess andre is working on new hook interface in bridge environments.
Once it's done pf/ipf can create real states, I believe. Of course, that
is not sufficient to run pf in bridge mode. Scrubbing of pf needs
special handling since it has to fragment assembled IP packets and
to generate ICMP messages in case of DF bit set. All these work could
be done after andre's enhancements.
Sorry, I don't want to duplicate work and at present, I have more
important pending jobs (at least to me) in sparc64.
> Best regards,
> --
> Jeremie Le Hen
> jeremie at le-hen.org
--
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
More information about the freebsd-pf
mailing list