From nobody Fri Oct 28 23:08:12 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MzdWP6rJ3z4g9l9; Fri, 28 Oct 2022 23:08:17 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MzdWP1dPbz3TJV; Fri, 28 Oct 2022 23:08:17 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pl1-x635.google.com with SMTP id io19so6070258plb.8; Fri, 28 Oct 2022 16:08:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:reply-to:user-agent:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=1tOAhx24TQsvAg3oK9QNezbB6RicdS5b8RLwQh+wmV8=; b=ESxgP2kFYIveATG0JZn94JNXVYaWOxLO7OOGdB0ZJTSAwnUHKuFe6fK7+JLim7+kgQ XL7aZMjKNZtoQa/HDacKUmswwvcF6EhwvOTFE4n8RLfhxlUJ9gbQqmhMKvWyI9zofPdg SMCLxjBHK5GAZFfYgg8iEauklMZbqeF5IK47KbaArQu6p3wm6BEFPf7upvO7fHuYQ9D8 /CmIiIQNp0SSQd0/MDdjWJHd3V8ndsaDskRQgKd1SF8bY0Glu9TqyYVtE3zb5R9ZyXYh ddbHibnUD0Y3iC03RCU2gpDvxXCIUhvOvffjnO4sgtgrVLtpIzNrFIIcmFBqGnPKsvMK EbWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:reply-to:user-agent:mime-version:date :message-id:sender:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1tOAhx24TQsvAg3oK9QNezbB6RicdS5b8RLwQh+wmV8=; b=nyVx8pzUzDr1OxjaBtMCdvNDi5JiTzUNNPj5MhbTsoLRa0nvEfCRxX1O8jgAsDu9tZ JaCzGyGQvty5t+eDja52GdZVc7Ebu+tnp2ReZWUngyzVCt2cDnnjJgCNhUCPTNQRsS5U ycMHex9b7E0EFePOEmv90ZUv0cSifqIlIdDU7AMxoux2pxGD4w4iJJxj5qb0cXmzlUKS cdpu6cZo+OgNE8FTeE4HzBbCQOTaUZXTs6NR+eRviaRR+xYvB0d4t5agMjf0m7Ukh5Uf Yv1Vzy9gA/vIM2dBy81KluTnx2Rj5Y9odbMBnOv/oW/50s+TiSm8xECEej9rzS94zFmP Hayw== X-Gm-Message-State: ACrzQf1AiCDgJylF4EHUl9e+ULeH2U/1NKoq1kTS306ZUXkh6YWX77ZR P/ZXLU7dr3kiGw0Zn4nHwSpVsV9We90= X-Google-Smtp-Source: AMsMyM6++hagK/uzGY/nzzlmkjzPvUOtBkb10pkwoWSdLQ9Zw77kssgUAVZeQ51XntgwXbMvOZusFw== X-Received: by 2002:a17:902:d502:b0:187:460:bfb2 with SMTP id b2-20020a170902d50200b001870460bfb2mr1451409plg.82.1666998495837; Fri, 28 Oct 2022 16:08:15 -0700 (PDT) Received: from ?IPV6:2403:5807:1b:1:c9f9:dbef:110d:50cd? (2403-5807-1b-1-c9f9-dbef-110d-50cd.ip6.aussiebb.net. [2403:5807:1b:1:c9f9:dbef:110d:50cd]) by smtp.gmail.com with ESMTPSA id c4-20020a170902d48400b00186acb14c4asm3617629plg.67.2022.10.28.16.08.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Oct 2022 16:08:15 -0700 (PDT) Message-ID: <74936dde-438c-ab92-f912-e699568df572@FreeBSD.org> Date: Sat, 29 Oct 2022 10:08:12 +1100 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Thunderbird/107.0a1 Reply-To: koobs@FreeBSD.org Subject: Re: git: 22893e584032 - main - bridge: default to not filtering L3 To: Kristof Provost Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org References: <202210240853.29O8rDHe091720@gitrepo.freebsd.org> <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> Content-Language: en-US From: Kubilay Kocak In-Reply-To: <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4MzdWP1dPbz3TJV X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ESxgP2kF; dmarc=none; spf=pass (mx1.freebsd.org: domain of koobs.freebsd@gmail.com designates 2607:f8b0:4864:20::635 as permitted sender) smtp.mailfrom=koobs.freebsd@gmail.com X-Spamd-Result: default: False [-3.12 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.98)[-0.978]; NEURAL_HAM_SHORT(-0.94)[-0.942]; FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; HAS_REPLYTO(0.00)[koobs@FreeBSD.org]; DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::635:from]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org] X-ThisMailContainsUnwantedMimeParts: N On 25/10/2022 2:27 am, Shawn Webb wrote: > On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote: >> The branch main has been updated by kp: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=22893e584032f22f24cae8e8b1b77ea70e83bd69 >> >> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69 >> Author: Kristof Provost >> AuthorDate: 2022-10-14 05:57:33 +0000 >> Commit: Kristof Provost >> CommitDate: 2022-10-24 06:52:21 +0000 >> >> bridge: default to not filtering L3 >> >> Change the default for net.link.bridge.pfil_member and >> net.link.bridge.pfil_bridge to zero. >> >> That is, default to not calling layer 3 firewalls on the bridge or its >> member interfaces. >> >> With either of these enabled the bridge will, during L2 processing, >> remove the Ethernet header from packets, feed them to L3 firewalls, >> re-add the Ethernet header and send them out. >> >> Not only does this interact very poorly with firewalls which defer >> packets, or reassemble and refragment IPv6, it also causes considerable >> confusion for users, because the firewall gets called in unexpected >> ways. >> >> For example, a bridge which contains a bhyve tap and the host's LAN >> interface. We'd expect traffic between the LAN and bhyve VM to pass, no >> matter what (layer 3) firewall rules are set on the host. That's not the >> case as long as pfil_bridge or pfil_member are set. >> >> Reviewed by: Zhenlei Huang >> MFC: never >> Differential Revision: https://reviews.freebsd.org/D37009 > > Hey Kristof, > > Would this be a good candidate for RELNOTES? > > Thanks, > "This interact very poorly with firewalls which defer packets, or reassemble and refragment IPv6 and also causes considerable confusion for users, because the firewall gets called in unexpected ways." From your commit log seems perfect.