[pf4freebsd] Re: Bridging

[Pyun YongHyeon]

On Sun, Oct 05, 2003 at 08:10:02PM -0500, temper wrote:
 > So has anyone been testing bridging on 1.64+?
 > 
 > my ip-less bridge would apear at first to work but i'm having
 > problems where traffic is passing through even though there is a block rule and nothing is even showing up on any "out" rules on the external interface at all. 
 > 
 > I hate posting on mailing lists because theres so much explaining to do and it takes so long to do. I'm usualy on #pf on irc.freenode.net seeking 
 > help on this subject.
 > 
You have missed one important thing. Both pf and ipf can't see outgoing
packets due to limitations of bridge(4) in FreeBSD. To see packets
going through both in/out directions, bridge(4) should be heavily
modified.
For ipfw(4), this is not important. Since ipfw(4) has no ability to
track established states accurately, it is meaningless to see both in/out
traffics. The author of ipfw(4) might not want to see unnecessary traffic,
as it amplifies processing burden to CPU.(IMO)

At present, you may do filtering with the following restrictions on bridge.
1. do filtering for inbound traffic only
2. use state-less rules only

Yes, it has very limited use only.
I am trying to modify bridge(4) to overcome this situation. However,
bridge(4) is very complex code and it takes time for me to ensure
correctness of my code. So I can't simply say the ETA.
If I manage to work, I'll let you know via this lists.
Thanks.

 > -temper at probsd.net
 > 

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>