[pf4freebsd] Re: Bridging 2nd try and call for testers
Max Laier
max at love2party.net
Wed Sep 15 20:49:46 PDT 2004
> > and try again to get pf running. Remember to set
net.link.ether.bridge_ipf:
> > 1 This time it should at least see some packets ... or get a panic, not
sure
> > about it ;)
> >
>
> Excellent. My initial pass/block tests were successful.
>
> I will continue testing with a more realistic ruleset, however this is
> quite promising.
We came to the same conclusion, discovered some other problems and bring a
new version of pf_freebsd to fix these issues:
Version 1.64: http://pf4freebsd.love2party.net/pf_freebsd_1.64.tar.gz
MD5 (pf_freebsd_1.64.tar.gz) = f198908a8d691617aa16aa047de7be03
If you are running version 1.63 and don't need bridge support there is no
real need to update unless you often do kldload/unload on pf and have seen
page faults in connection with that (There is a possible race on MOD_UNLOAD,
which most likely does not cause trouble, but is fixed now). If you run
versions prior 1.63 updateing is recommend!
To get bridge working with pf you have to take a look into the newly created
patches directory. There you'll find a patch to src/sys/net/bridge.c running
against RELENG_5_1 and HEAD which are the same (RCS 1.67). You have to do
the following:
$patch /usr/src/sys/net/bridge.c < pf_freebsd_1.64/patches/bridge.c.patch
rebuild your kernel with at least the following options: "options BRIDGE",
"options PFIL_HOOKS", "options INET"
reboot to the new kernel and set syctl "net.link.ether.bridge_ipf" to a
non-zero value.
Further information about this and comming patches can be found in
patches/README. Things in there are for testing purpose and will be send-pr
once we are certain that is helps and works.
Thank you for further feedback on the issue,
Max
More information about the freebsd-pf
mailing list