From nobody Mon Oct 24 15:27:58 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MwzV86MX5z4fyMv
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 24 Oct 2022 15:28:00 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MwzV82HG1z3T0H
	for <dev-commits-src-all@freebsd.org>; Mon, 24 Oct 2022 15:28:00 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-qv1-xf35.google.com with SMTP id t16so6690030qvm.9
        for <dev-commits-src-all@freebsd.org>; Mon, 24 Oct 2022 08:28:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hardenedbsd.org; s=google;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=ajDw6JOy0+kxLochlVeWNFrzc7hWCgxkppmbxSYHhiI=;
        b=edCyZaA7zWHhIpyv9pGHYz6ubrEI0LebQXW2hlvlAiFluGrho1FTpDBb8hipytsBpL
         +viy9Q3wTPBXSWFl0JDrOPiWmZ20NRENf1IeolYkipezsHLZu4MWm36y0dvgxUIid7Jg
         /vKQSurdYhMEd/3DhlWFZ7aryGReeHa0h+GjQaIE2d8K1QWVFe5RjiGKCqmMSpAZBZDp
         q2iKkzJ8wlYAB0JOp2cynQyeuLU+zZRGHW1KBht9MLjUjF3jJpzf+yNCiFYZlXCDNj1H
         xDAFWWIK0GP16OYTCx+x67Ur98l6FuznhH79lVz4cgv/BRNA2j1b1r0h/19h7tNqTNtE
         iu2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ajDw6JOy0+kxLochlVeWNFrzc7hWCgxkppmbxSYHhiI=;
        b=NAiOlSC5kHvI1a/gLXMPpF84HjD34hNrxSTsG084A/T3/5L5JOPmnDoQzgD/kMe+yZ
         vY97saZ9hNuhMM9iI0Z3R+a65daRthzw/wuZBNpFF5cbd8munLXk+43qUFP/pJpp7CC1
         K6EhMvCrFjgxVG+xds9Ca6l47C8mnV0slUGXL1r2qhUQCwSAWWU5D+53VIKfx8DLYUkw
         Gy5ANUFycqq5dfR5LP+J2f+eDrcxS6wl/oZEU0MsiVTVBFVBcOIFrCT7OPX/OWkZgppt
         BHeZgoHlkOTERw1uw1NrloLahE6U4C4idjKf3vgOWKm5Cp/0mZu5lzPxW/abShpJAmMr
         +I6A==
X-Gm-Message-State: ACrzQf21wdC/bnvNnft80ZPLjGCjzcMSibRZS07MsLUOvmR5FrUZJclu
	Wilc3WQlFKUl8c51zTkQkKXpHiPwKqN69g==
X-Google-Smtp-Source: AMsMyM4tzX47v4eNmd+c4TSq4C+AM6curNG1eBY8C4A9coYy/kcpG1ri+G8wDWtWvqH2p+nmDDpEkg==
X-Received: by 2002:a0c:f5d1:0:b0:4bb:3214:e10a with SMTP id q17-20020a0cf5d1000000b004bb3214e10amr13533237qvm.112.1666625279635;
        Mon, 24 Oct 2022 08:27:59 -0700 (PDT)
Received: from mutt-hbsd (pool-100-16-219-215.bltmmd.fios.verizon.net. [100.16.219.215])
        by smtp.gmail.com with ESMTPSA id f14-20020a05620a280e00b006eec09eed39sm157222qkp.40.2022.10.24.08.27.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 24 Oct 2022 08:27:58 -0700 (PDT)
Date: Mon, 24 Oct 2022 11:27:58 -0400
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Kristof Provost <kp@FreeBSD.org>
Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
	dev-commits-src-main@FreeBSD.org
Subject: Re: git: 22893e584032 - main - bridge: default to not filtering L3
Message-ID: <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd>
X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD
 14.0-CURRENT-HBSD 
X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
References: <202210240853.29O8rDHe091720@gitrepo.freebsd.org>
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="qqxvcbxcvs54moc5"
Content-Disposition: inline
In-Reply-To: <202210240853.29O8rDHe091720@gitrepo.freebsd.org>
X-Rspamd-Queue-Id: 4MwzV82HG1z3T0H
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=hardenedbsd.org header.s=google header.b=edCyZaA7;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::f35 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org
X-Spamd-Result: default: False [-5.10 / 15.00];
	SIGNED_PGP(-2.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	MID_RHS_NOT_FQDN(0.50)[];
	R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google];
	MIME_GOOD(-0.20)[multipart/signed,text/plain];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_TLS_LAST(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f35:from];
	RCPT_COUNT_THREE(0.00)[4];
	DKIM_TRACE(0.00)[hardenedbsd.org:+];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-all@freebsd.org];
	TO_DN_SOME(0.00)[];
	FROM_HAS_DN(0.00)[];
	DMARC_NA(0.00)[hardenedbsd.org];
	RCVD_COUNT_THREE(0.00)[3];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N


--qqxvcbxcvs54moc5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote:
> The branch main has been updated by kp:
>=20
> URL: https://cgit.FreeBSD.org/src/commit/?id=3D22893e584032f22f24cae8e8b1=
b77ea70e83bd69
>=20
> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69
> Author:     Kristof Provost <kp@FreeBSD.org>
> AuthorDate: 2022-10-14 05:57:33 +0000
> Commit:     Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2022-10-24 06:52:21 +0000
>=20
>     bridge: default to not filtering L3
>    =20
>     Change the default for net.link.bridge.pfil_member and
>     net.link.bridge.pfil_bridge to zero.
>    =20
>     That is, default to not calling layer 3 firewalls on the bridge or its
>     member interfaces.
>    =20
>     With either of these enabled the bridge will, during L2 processing,
>     remove the Ethernet header from packets, feed them to L3 firewalls,
>     re-add the Ethernet header and send them out.
>    =20
>     Not only does this interact very poorly with firewalls which defer
>     packets, or reassemble and refragment IPv6, it also causes considerab=
le
>     confusion for users, because the firewall gets called in unexpected
>     ways.
>    =20
>     For example, a bridge which contains a bhyve tap and the host's LAN
>     interface. We'd expect traffic between the LAN and bhyve VM to pass, =
no
>     matter what (layer 3) firewall rules are set on the host. That's not =
the
>     case as long as pfil_bridge or pfil_member are set.
>    =20
>     Reviewed by:    Zhenlei Huang
>     MFC:            never
>     Differential Revision:  https://reviews.freebsd.org/D37009

Hey Kristof,

Would this be a good candidate for RELNOTES?

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A=
4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

--qqxvcbxcvs54moc5
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmNWrvgACgkQ/y5nonf4
4frwBw//bstoozszDhKG608Qz6vBXxjnFpoJzbh4to5qKf2p93RXymkUz7yZk02P
SjnKFp1Ntv8+Zqh4p8wjKFigDsEfey5rBZc/GRVJp5xdfl3z/udELHcF3I0Fejg4
ke8f3xJbp6anX00op+uZU4aXHR2Bqv5QpkzINylCaLO3O3SUzoAcK/0y70wjbnMx
5W0q1uhn71qKo4DhRJ2CARlI9JXfJ07S6S8IsVR6p32eLVJ7vAr3JQ4aJ1YTXqPk
oIWaHn2FW79rS5XSDlMXNyA5HMyndM/ANqeV60OYBXg6Qf7OuC/1WsbnGwjr64Oz
qPya8YqogkZwUW+chkQjnwerSXx/nAaXDGNhZ6IBoJfiF1Um16oUbULXM22uhK8C
wKn46V8t8YscYA6A9LAg2jmr8ilZ8ZTuAg6m3SFmBEBmFj5zsAwDOziZu3O/Bt6j
kGTApw08jOX5c1EyFVDMFfwlStcuWXQoA2g0KBhK7QAMDi//5Oete+8lPumgrx0j
bennXsVZnr2hj3L4Is8P/NfvKsKiswIgm7f+9sM0CKbcyZr6h7Uem9Hf0aL96dbo
5imsP2HVBTzlk15QezB2tGjEJyuJGD6mUvkKM1ztBYqKCF7qTWN77or6FA12FyLH
RoXjWbFbgSz6xo7wA1XCRmdF+KKrfhytW8Zmrib+ssFNOTm92Ew=
=nXrE
-----END PGP SIGNATURE-----

--qqxvcbxcvs54moc5--