[pf4freebsd] Re: Bridging?

Brandon Weisz brandon at mail.avioc.org
Wed Sep 15 20:48:26 PDT 2004 

On Fri, 2003-08-29 at 03:37, Pyun YongHyeon wrote:
> On Fri, Aug 29, 2003 at 05:04:40PM +0900, To pf4freebsd at freelists.org wrote:
>  > On Fri, Aug 29, 2003 at 12:22:18PM +0900, To pf4freebsd at freelists.org wrote:
>  >  > On Thu, Aug 28, 2003 at 08:15:45AM -0500, Brandon Weisz wrote:
>  >  >  > Max,
>  >  >  > I tested your patch with basically the same setup as Alan.  I'm using
>  >  >  > the pf port, not sure if I should be testing with 1.62.
>  >  >  > 
>  >  > If your system is -current you should use latest version
>  >  > (not in ports tree).

I'm using 5.1-RELEASE-p2 and the PF (1.0_6) port.

>  >  > 
>  >  >  > The quick and dirty is I didn't see any of the debug messages from
>  >  >  > bridge.c.diff in the dmesg.
>  >  >  > 
>  >  > The debugging message may show up on your CONSOLE. If you do not
>  >  > see any messages such as 'START, TRUE, calling' on your console,
>  >  > it means pf does not work on bridge setup. However I don't think
>  >  > so because bridge code supports PFIL_HOOKS and ipfilter also
>  >  > relys on this feature.(But I can't sure 'cause I don't even use
>  >  > bridge at all.)
>  >  > 
>  > I have tried bridge(4) with kernel module on -current. No luck.
>  > I can't believe this so I have tried ipf. It did not work too.
>  > There must be a bug in bridge(4) code itself.
>  > At present it seems that there is no way to use pf or ipf
>  > (which uses PFIL_HOOK) on bridge setup with/without assigning
>  > a IP address.
>  > Is there anyone using ipf on bridge setup?
>  > 

I will attempt to test this today or this weekend.  

> This happens when I use bridge kernel module. You may need
> 'options BRIDGE' in your kernel or patch /sys/modules/bridge/
> Makefile to include PFIL_HOOKS code.
> 
> --- Makefile    Fri Aug 29 17:33:00 2003
> +++ Makefile.OK Fri Aug 29 17:33:23 2003
> @@ -3,5 +3,6 @@
>  .PATH: ${.CURDIR}/../../net
>  KMOD=  bridge
>  SRCS=  bridge.c
> +CFLAGS+= DPFIL_HOOKS
>  
>  .include <bsd.kmod.mk>
> 

I did all my testing with the following kernel options:

...
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options PFIL_HOOKS
options RANDOM_IP_ID
options BRIDGE
...

> However I have received a LOR due to our recent addition of
> lock.(not yet released). I believe we should fix this LOR first
> because it is more serious.
> 

Agreed

> Regards,
> Pyun YongHyeon

More information about the freebsd-pf mailing list