Re: git: 22893e584032 - main - bridge: default to not filtering L3

From: Kubilay Kocak <koobs_at_FreeBSD.org>
Date: Fri, 28 Oct 2022 23:08:12 UTC
On 25/10/2022 2:27 am, Shawn Webb wrote:
> On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=22893e584032f22f24cae8e8b1b77ea70e83bd69
>>
>> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69
>> Author:     Kristof Provost <kp@FreeBSD.org>
>> AuthorDate: 2022-10-14 05:57:33 +0000
>> Commit:     Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2022-10-24 06:52:21 +0000
>>
>>      bridge: default to not filtering L3
>>      
>>      Change the default for net.link.bridge.pfil_member and
>>      net.link.bridge.pfil_bridge to zero.
>>      
>>      That is, default to not calling layer 3 firewalls on the bridge or its
>>      member interfaces.
>>      
>>      With either of these enabled the bridge will, during L2 processing,
>>      remove the Ethernet header from packets, feed them to L3 firewalls,
>>      re-add the Ethernet header and send them out.
>>      
>>      Not only does this interact very poorly with firewalls which defer
>>      packets, or reassemble and refragment IPv6, it also causes considerable
>>      confusion for users, because the firewall gets called in unexpected
>>      ways.
>>      
>>      For example, a bridge which contains a bhyve tap and the host's LAN
>>      interface. We'd expect traffic between the LAN and bhyve VM to pass, no
>>      matter what (layer 3) firewall rules are set on the host. That's not the
>>      case as long as pfil_bridge or pfil_member are set.
>>      
>>      Reviewed by:    Zhenlei Huang
>>      MFC:            never
>>      Differential Revision:  https://reviews.freebsd.org/D37009
> 
> Hey Kristof,
> 
> Would this be a good candidate for RELNOTES?
> 
> Thanks,
> 

"This interact very poorly with firewalls which defer packets, or 
reassemble and refragment IPv6 and also causes considerable
confusion for users, because the firewall gets called in unexpected
ways."

 From your commit log seems perfect.