From nobody Mon Oct 24 15:34:58 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MwzfF4Mrdz4g0Nf; Mon, 24 Oct 2022 15:35:01 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MwzfF3vCYz3Tfw; Mon, 24 Oct 2022 15:35:01 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666625701; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1tIMFLjxqaROS6M4l12zqxWoOuocABG3AgyRDcKhXBc=; b=VLKHj4l+1xEBGAwvkvbkNHDDNutPpcrx94BtfpIDlAgLOUKRfXmrVd+guwMWFFomIFO9Im ePxgdL9e0hSdIIdebGOVuDMCWORK5v0dwGLGSTqjjyjt1JTY7SaP05nOcZGC0jlrm3redu aewBHGQVPaCfBd+7vPZnFgcXtA/L1ryNwDl+AJGKbCSdO9Z4pTAfPV0PC0ogHLW2Luv6SM NGIo8TLA5pkXhsQTV0y4E982bDlrEt6thG34cm37qf0p+fAFjyysZY95/lcJuAgRK5UYdo 0M0NLsW5AF6b4OwmYR6vAB/ZE/mg0SkpehCHaUz5b5tL0gbTiJ0whkdHBmnITA== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MwzfF2B7zzr6N; Mon, 24 Oct 2022 15:35:01 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 7D84B3D560; Mon, 24 Oct 2022 17:34:59 +0200 (CEST) From: Kristof Provost To: Shawn Webb Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 22893e584032 - main - bridge: default to not filtering L3 Date: Mon, 24 Oct 2022 17:34:58 +0200 X-Mailer: MailMate (1.14r5918) Message-ID: In-Reply-To: <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> References: <202210240853.29O8rDHe091720@gitrepo.freebsd.org> <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666625701; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1tIMFLjxqaROS6M4l12zqxWoOuocABG3AgyRDcKhXBc=; b=IGvhv7ibKPS9P2fNvpE8TChnDh1ae5IzOhcnXBGVoTzTS5Lfod3z+Z4B9Z0JchfGd1QCSq ObqgzbmKAvzW06hhit0qEvjJjcELaN0qIsOiRSpxlACdLUCDvCyuj7G+0D/jVjaYrNrReI da4A8ohcCFOPaGkDGl07Te9Vty9KcWwl8msyIaGqyG5BE/g1TW/mQMjc8Glv38bTyUhkEn Ikdw2rp55uJewPPgUQvR6F/CjuPyMQfDzwduixZKJuQZwIwqCoNWM2gaNVc5m36SmRe72c Ag+9VetpZSxFVlckX7x0IaItP6Or6uHEdhhK8KFjxlPYGgcE6Hc96sTyCM9kgA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666625701; a=rsa-sha256; cv=none; b=N6Yo2oGWXCuGmbSY8RSWoHqq8pqTAUgpXdHCS0RD2RPwIynmbELoRWgRUn3TiOx7wMmmNU ZeGQJEBtd7CxUqAm115Mub0+Vqyxc4aOvnQ2er2tM0CYH/7trLwGEfuESeK1UxXylzzZ4C FarZE1/4YEhTo5JkzYSNJRDjFx9X3kLJKvkhvR0m1Lm/kSWEz7oShxTxfZo4RWoNXt5kNd uvikjgzMMj0JiYm/pXQihS126PmxBC0EvlRIe3ng/SCaPyFf2xeOl8I/pFAZVGKwDUTeip 2TEBCSl2ZEQzT3XuIAyzleqwplLVLlP7dye2tnwFZZdsNv4EETg4mMYNdiouog== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On 24 Oct 2022, at 17:27, Shawn Webb wrote: > On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote: >> The branch main has been updated by kp: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=3D22893e584032f22f24cae8e= 8b1b77ea70e83bd69 >> >> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69 >> Author: Kristof Provost >> AuthorDate: 2022-10-14 05:57:33 +0000 >> Commit: Kristof Provost >> CommitDate: 2022-10-24 06:52:21 +0000 >> >> bridge: default to not filtering L3 >> >> Change the default for net.link.bridge.pfil_member and >> net.link.bridge.pfil_bridge to zero. >> >> That is, default to not calling layer 3 firewalls on the bridge or= its >> member interfaces. >> >> With either of these enabled the bridge will, during L2 processing= , >> remove the Ethernet header from packets, feed them to L3 firewalls= , >> re-add the Ethernet header and send them out. >> >> Not only does this interact very poorly with firewalls which defer= >> packets, or reassemble and refragment IPv6, it also causes conside= rable >> confusion for users, because the firewall gets called in unexpecte= d >> ways. >> >> For example, a bridge which contains a bhyve tap and the host's LA= N >> interface. We'd expect traffic between the LAN and bhyve VM to pas= s, no >> matter what (layer 3) firewall rules are set on the host. That's n= ot the >> case as long as pfil_bridge or pfil_member are set. >> >> Reviewed by: Zhenlei Huang >> MFC: never >> Differential Revision: https://reviews.freebsd.org/D37009 > > Hey Kristof, > > Would this be a good candidate for RELNOTES? > =E2=80=9CMaybe=E2=80=9D. I struggle to explain it in a way that does not = have an undertone of (or outright says) =E2=80=9COur users don=E2=80=99t = actually know what this does. Remove the foot-gun.=E2=80=9D Kristof