Once again lost in the woods with QEMU, pf, bridge.sh, tap...

mal content artifact.one at googlemail.com
Fri Aug 11 10:40:14 UTC 2006


I'm trying to get qemu with tap networking happening under FreeBSD 6.1.
I did make some progress with the last solution given to me, but I still
couldn't get it to work. Doing things this way seems to be the only method
that works for me currently.

The main problem I'm having is that I can't seem to get pf to do any
packet filtering. My setup currently looks like this:


nic0 = "fxp0"
host_ip = ""


pass in log all
pass out log all


#!/bin/sh -x


sudo ifconfig $tap_if up


#!/bin/sh -x

sudo sysctl net.link.tap.user_open=1
sudo ./bridge.sh start

qemu \
  -m 128 \
  -net nic \
  -net tap,script=if-up2 \
  -hda openbsd_39_hda.img

sudo ./bridge.sh stop
sudo sysctl net.link.tap.user_open=0

'bridge.sh' is the standard bridge.sh copied from /usr/src
and edited for my interfaces:

BRIDGE_IFACES="fxp0 tap0"

Now, the OpenBSD guest is set up to have the IP address '',
and it does work. I can connect out from the guest and I can SSH in
with no problems. HOWEVER - pf doesn't log the packets, and this
is worrying. I seem to be somehow avoiding pf logging, despite the
fact that I've told pf to log everything coming in or out of the machine
(it also logs traffic on loopback, for now).

I fully admit that I don't understand everything going on here, particularly
the magic inside bridge.sh.

I basically just want to be able to tell pf to filter all packets coming from
the tap0 interface (doesn't seem to work) or all packets coming from (unreliable, I would think, what if the guest OS spoofs the
source address?).

help, flames, etc, appreciated.

More information about the freebsd-questions mailing list