From nobody Mon Oct 24 08:53:13 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mwpkd2QTlz4fyHF;
	Mon, 24 Oct 2022 08:53:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Mwpkd1r1sz4694;
	Mon, 24 Oct 2022 08:53:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1666601593;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=22e8Ia7kCAfrLjwUriEPeCXRaJPQe9jyzGzzZ5avKfg=;
	b=xF+KrHkBiXVwIIm168MobVg2G4a0HHdYFt/PP9EFLZe9vmxTZQt06C+BogSMZ4EjvgDQNy
	oc7GvGuF3NdXJbWmyrzsJpAsY8gPvDMSCv25YYThQcT0TrmzSP8oVjuh+IN8H3dC4BQ8BG
	Et1EBOw7kZq7N1CUjn7HMttlZGuC675ZxAgCtoozuyQeUvkWyNIJy8Fa8i7DMEgkMG+tnr
	yn9tcuucUCTCIX9xMpEMBC8+663Uc1qc0vHUk1w7GeJqKJo15tQC7BZGGv/FscoNkTUbzG
	MLp0zWSWipk8N8eMpcsbFJDucJ98j9D4+4k7YR2VxQUqeMU8X/UDyHs5AdzF6w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mwpkd0wZSz19qv;
	Mon, 24 Oct 2022 08:53:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 29O8rDAV091721;
	Mon, 24 Oct 2022 08:53:13 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 29O8rDHe091720;
	Mon, 24 Oct 2022 08:53:13 GMT
	(envelope-from git)
Date: Mon, 24 Oct 2022 08:53:13 GMT
Message-Id: <202210240853.29O8rDHe091720@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 22893e584032 - main - bridge: default to not filtering L3
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 22893e584032f22f24cae8e8b1b77ea70e83bd69
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1666601593;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=22e8Ia7kCAfrLjwUriEPeCXRaJPQe9jyzGzzZ5avKfg=;
	b=jYqvIYz5p4H3HvQ49tZSQNUnupepftI3heRxQH3I/ujRhDC/HytRm+88aGIp+jq0D73gX8
	0+c7Iudd+TI5Q84B8Mx8eWFvxqVIq9++D6Qwx4BPDFjyBdFFcrNBwy8kkcap1+jsZWsk2c
	fxJ9+Hx7UrBC3FzWBy8+hFanxFewz+/HGYqZHmY75M1+FDvG476mSn/wwgE9ZKbHIyzf1g
	H8+aV5q5dF9hlSdjaggNk3Os0v7wIoS9PjwBgr/6nJVfIv0HL82S92lrKrjWXwTSPb1KED
	FKMtLkURfJw+4ETAp7XKk5KYLl4ll43EZJufGd0xV3Z/Jy5hZniGxQ7TlfjKvQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666601593; a=rsa-sha256; cv=none;
	b=e0Hl00c75z2hUV5Xlq+QZdEDJs781Y2bCYrvXMqYzKmpLrPnlzAY2aiaTxMS2c31P3s0nY
	4urJ0H+GjiOL3wcTQl5Ya6jUhemSYEMPSpqe8F26svnbHpEyyVC9yMrQLe3YW7mnpJRelo
	Y15Ypwp0zMiW5EE1rV7UiJk1rfU38UAze5KFGvgzQ+MBXAcSoEWg8HihQ+Jv9JAv7xYECF
	t3pJy7Xt7RiK1wz9sX6vip1VZyUSIzI28MvboXBtG/b2IjVJsvHfv3y7BJcuTbfY0x4Qrq
	oAVMpWt4ZK2eDDIP1TwjU1BWwSA8qtpV60utXDKaHzUqBbv9ZTv9uHR00vsyUQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=22893e584032f22f24cae8e8b1b77ea70e83bd69

commit 22893e584032f22f24cae8e8b1b77ea70e83bd69
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-10-14 05:57:33 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-10-24 06:52:21 +0000

    bridge: default to not filtering L3
    
    Change the default for net.link.bridge.pfil_member and
    net.link.bridge.pfil_bridge to zero.
    
    That is, default to not calling layer 3 firewalls on the bridge or its
    member interfaces.
    
    With either of these enabled the bridge will, during L2 processing,
    remove the Ethernet header from packets, feed them to L3 firewalls,
    re-add the Ethernet header and send them out.
    
    Not only does this interact very poorly with firewalls which defer
    packets, or reassemble and refragment IPv6, it also causes considerable
    confusion for users, because the firewall gets called in unexpected
    ways.
    
    For example, a bridge which contains a bhyve tap and the host's LAN
    interface. We'd expect traffic between the LAN and bhyve VM to pass, no
    matter what (layer 3) firewall rules are set on the host. That's not the
    case as long as pfil_bridge or pfil_member are set.
    
    Reviewed by:    Zhenlei Huang
    MFC:            never
    Differential Revision:  https://reviews.freebsd.org/D37009
---
 sys/net/if_bridge.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index f2538a78f943..e8e552aa1853 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -415,7 +415,7 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip,
     "Only pass IP packets when pfil is enabled");
 
 /* run pfil hooks on the bridge interface */
-VNET_DEFINE_STATIC(int, pfil_bridge) = 1;
+VNET_DEFINE_STATIC(int, pfil_bridge) = 0;
 #define	V_pfil_bridge	VNET(pfil_bridge)
 SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge,
     CTLFLAG_RWTUN | CTLFLAG_VNET, &VNET_NAME(pfil_bridge), 0,
@@ -433,7 +433,7 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, ipfw_arp,
     "Filter ARP packets through IPFW layer2");
 
 /* run pfil hooks on the member interface */
-VNET_DEFINE_STATIC(int, pfil_member) = 1;
+VNET_DEFINE_STATIC(int, pfil_member) = 0;
 #define	V_pfil_member	VNET(pfil_member)
 SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member,
     CTLFLAG_RWTUN | CTLFLAG_VNET, &VNET_NAME(pfil_member), 0,