Date: Mon, 1 Nov 2021 21:30:28 +0100 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: pf@freebsd.org Subject: Re: pf on a bhyve host Message-ID: <AM9PR07MB795615CC02AACF4AB74DE422A08A9@AM9PR07MB7956.eurprd07.prod.outlook.com> In-Reply-To: <YX6QsJmdJt4xeDPC@ceres.zyxst.net> References: <YX6QsJmdJt4xeDPC@ceres.zyxst.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,=20 Le Sun, 31 Oct 2021 12:48:48 +0000, tech-lists <tech-lists@zyxst.net> a =C3=A9crit : > Hello pf@ >=20 > (the context is a 12.2-p10 host and various bhyve guests) >=20 > What's the best way to have pf protect the host (on igb0) but=20 > leave the traffic for the tap devices unexamined? It seems, for example >=20 > set skip on $tap_ifs >=20 > where $tap_ifs is a macro containing four tap devices, doesn't do what's= =20 > needed.=20 Do the "set skip" option expands correctly (one tap if per line) ?=20 > In this context, igb0 is bridged with the tap devices. Traffic=20 > still gets hit by pf block rules on the host despite being for the vm > behind the tap device(s). Do you filter on your bridge if or igb0 ?=20 >=20 > Is a different approach needed?=20 Based on your context, I would do same as you.=20 Do you have a catch (block) all rule at then end ? Alternatively, I would try to have rules specifically for each interfaces y= ou have except for TAP IFs (and probably bridges). Some sort of "set skip" emulation. As for the rest, I can't answer. =20 > Do I need to use vlans? The bhyhe guests > need to have real routable IPs and both the host and the guests are on > the same subnet. The desired outcome was previously achieved with a > hardware firewall in front of the bhyve host. I'm not sure if this is > possible with freebsd's pf. Maybe it is with openbsd's? I understand > that we have pci passthru with bhyve+openbsd guests now. >=20 > thanks, K.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AM9PR07MB795615CC02AACF4AB74DE422A08A9>