The best of both worlds “using mac filtering in pf”
Kristof Provost
kp at FreeBSD.org
Fri Jul 10 20:44:18 UTC 2020
On 10 Jul 2020, at 22:37, Ultima wrote:
> Hey Kristof,
>
>
>> (It’s already possible to use pf on top of a bridge in
>> bump-in-the-wire mode. Given the gotchas in that code I **strongly**
>> recommend people don’t use that functionality.)
>>
>>
> Do you mind going into details on the gotchas or providing links?
>
I am reluctant to, because people will delude themselves into believing
they can avoid the landmines.
The entire way this feature is implemented is wrong, and you cannot
reliably avoid the landmines. If you use it at some point you will find
yourself spread out over the landscape.
That said, very briefly, (and understand that it **will** blow up in
your face when it’s most annoying): the way this feature works is by
stripping off the ethernet header, passing the IP packet to pf, and then
re-adding the ethernet header once pf is done with it.
This explodes spectacularly if you do something that causes the packet
to not be returned by pf, such as a route-to/reply-to rule, or anytime
IPv6 fragmentation is involved.
Best regards,
Kristof
More information about the freebsd-pf
mailing list