Date: Mon, 24 Oct 2022 11:27:58 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 22893e584032 - main - bridge: default to not filtering L3 Message-ID: <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> In-Reply-To: <202210240853.29O8rDHe091720@gitrepo.freebsd.org> References: <202210240853.29O8rDHe091720@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--qqxvcbxcvs54moc5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D22893e584032f22f24cae8e8b1= b77ea70e83bd69 >=20 > commit 22893e584032f22f24cae8e8b1b77ea70e83bd69 > Author: Kristof Provost <kp@FreeBSD.org> > AuthorDate: 2022-10-14 05:57:33 +0000 > Commit: Kristof Provost <kp@FreeBSD.org> > CommitDate: 2022-10-24 06:52:21 +0000 >=20 > bridge: default to not filtering L3 > =20 > Change the default for net.link.bridge.pfil_member and > net.link.bridge.pfil_bridge to zero. > =20 > That is, default to not calling layer 3 firewalls on the bridge or its > member interfaces. > =20 > With either of these enabled the bridge will, during L2 processing, > remove the Ethernet header from packets, feed them to L3 firewalls, > re-add the Ethernet header and send them out. > =20 > Not only does this interact very poorly with firewalls which defer > packets, or reassemble and refragment IPv6, it also causes considerab= le > confusion for users, because the firewall gets called in unexpected > ways. > =20 > For example, a bridge which contains a bhyve tap and the host's LAN > interface. We'd expect traffic between the LAN and bhyve VM to pass, = no > matter what (layer 3) firewall rules are set on the host. That's not = the > case as long as pfil_bridge or pfil_member are set. > =20 > Reviewed by: Zhenlei Huang > MFC: never > Differential Revision: https://reviews.freebsd.org/D37009 Hey Kristof, Would this be a good candidate for RELNOTES? Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --qqxvcbxcvs54moc5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmNWrvgACgkQ/y5nonf4 4frwBw//bstoozszDhKG608Qz6vBXxjnFpoJzbh4to5qKf2p93RXymkUz7yZk02P SjnKFp1Ntv8+Zqh4p8wjKFigDsEfey5rBZc/GRVJp5xdfl3z/udELHcF3I0Fejg4 ke8f3xJbp6anX00op+uZU4aXHR2Bqv5QpkzINylCaLO3O3SUzoAcK/0y70wjbnMx 5W0q1uhn71qKo4DhRJ2CARlI9JXfJ07S6S8IsVR6p32eLVJ7vAr3JQ4aJ1YTXqPk oIWaHn2FW79rS5XSDlMXNyA5HMyndM/ANqeV60OYBXg6Qf7OuC/1WsbnGwjr64Oz qPya8YqogkZwUW+chkQjnwerSXx/nAaXDGNhZ6IBoJfiF1Um16oUbULXM22uhK8C wKn46V8t8YscYA6A9LAg2jmr8ilZ8ZTuAg6m3SFmBEBmFj5zsAwDOziZu3O/Bt6j kGTApw08jOX5c1EyFVDMFfwlStcuWXQoA2g0KBhK7QAMDi//5Oete+8lPumgrx0j bennXsVZnr2hj3L4Is8P/NfvKsKiswIgm7f+9sM0CKbcyZr6h7Uem9Hf0aL96dbo 5imsP2HVBTzlk15QezB2tGjEJyuJGD6mUvkKM1ztBYqKCF7qTWN77or6FA12FyLH RoXjWbFbgSz6xo7wA1XCRmdF+KKrfhytW8Zmrib+ssFNOTm92Ew= =nXrE -----END PGP SIGNATURE----- --qqxvcbxcvs54moc5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20221024152758.ofwhfcdfdslm5cbs>