Bridging
Pyun YongHyeon
yongari at kt-is.co.kr
Thu Sep 23 03:20:18 PDT 2004
On Thu, Sep 23, 2004 at 10:50:27AM +0100, Lawrence Farr wrote:
> I'm trying to get bridging with filtering to work on 5.3B5,
> and cant seem to get pf to filter anything on the bridged
> interface. Should there be a net.link.ether.bridge.pf
> sysctl?. I have the following two rules as a test:
>
Last time I saw the bridge code, pf's filtering function
was only called on inbound packet. I guess this was for ipfw's
optimization since ipfw can create a state with inbound traffic.
However both pf and ipf should see inbound/outbound packet
in order to create a *real* state. At presnet if you want to
filter on bridge environments you can do filtering without
creating states for inbound traffic.
Patching bridge code to make pf/ipf see inbound/outbound is trivial.
But it is not sufficient for pf to function correctly.(bridge(4)
should be taught to handle fragmentation since pf can reassemble
fragmented IP datagrams with scrub rules.)
Personally I think OID like net.link.ether.bridge.pf is not needed
since pf can enable/disable its running state with pfctl(8).
(ipfw had no such capability) There are plans to improve
current situations in bridge environments, but it's not for
5.3R.
> block drop log on fxp3 all
> block return quick on fxp3 proto tcp from any to any port = http
>
> fxp3 being the bridge interface. The traffic gets through
> unfiltered. Am I just missing something obvious?
>
> Regards,
>
> Lawrence Farr
>
Regards,
Pyun YongHyeon
--
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
More information about the freebsd-pf
mailing list