Bridging

Pyun YongHyeon yongari at kt-is.co.kr
Thu Sep 23 03:20:18 PDT 2004


On Thu, Sep 23, 2004 at 10:50:27AM +0100, Lawrence Farr wrote:
 > I'm trying to get bridging with filtering to work on 5.3B5,
 > and cant seem to get pf to filter anything on the bridged
 > interface.  Should there be a net.link.ether.bridge.pf
 > sysctl?. I have the following two rules as a test:
 > 

Last time I saw the bridge code, pf's filtering function
was only called on inbound packet. I guess this was for ipfw's
optimization since ipfw can create a state with inbound traffic.
However both pf and ipf should see inbound/outbound packet
in order to create a *real* state. At presnet if you want to
filter on bridge environments you can do filtering without
creating states for inbound traffic.

Patching bridge code to make pf/ipf see inbound/outbound is trivial.
But it is not sufficient for pf to function correctly.(bridge(4)
should be taught to handle fragmentation since pf can reassemble
fragmented IP datagrams with scrub rules.)

Personally I think OID like net.link.ether.bridge.pf is not needed
since pf can enable/disable its running state with pfctl(8).
(ipfw had no such capability) There are plans to improve
current situations in bridge environments, but it's not for
5.3R.

 > block drop log on fxp3 all
 > block return quick on fxp3 proto tcp from any to any port = http
 > 
 > fxp3 being the bridge interface. The traffic gets through
 > unfiltered. Am I just missing something obvious?
 > 
 > Regards,
 > 
 > Lawrence Farr
 > 

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>


More information about the freebsd-pf mailing list