FreeBSD bridge + filtering, BIG problem
Jeremie Le Hen
jeremie at le-hen.org
Thu Dec 2 00:18:16 PST 2004
> Both pf/ipf should see inbound/outbound traffic in order to
> create states. But in bridge(4), pfil(9) hook for outbound packet
> is absent. ipfw can create states without seeing outbound packet.
> Maybe it would be authors intention to reduce overhead by not
> checking packets in both directions.
>
> I guess ipfw can't filter outbound packet in bridged setup too.
>
> Long time ago, I wrote a patch to add pfil(9) outbound hook
> in bridge setup. The patch makes pf's scrub rule work too.
> It wouldn't apply to 5.3R but you can see the point.
>
> http://www.kr.freebsd.org/~yongari/patches/bridge.patch
Could we hope to see this patch merged some day ? Are there major
drawbacks with this pfil outbound hook in bridge setup ? At first
glance, it seems to be cool that pf and ipf perform the same while in
routing or bridging mode.
Best regards,
--
Jeremie Le Hen
jeremie at le-hen.org
More information about the freebsd-pf
mailing list