Date: Sun, 31 Oct 2021 12:48:48 +0000 From: tech-lists <tech-lists@zyxst.net> To: freebsd-pf@freebsd.org Subject: pf on a bhyve host Message-ID: <YX6QsJmdJt4xeDPC@ceres.zyxst.net>
next in thread | raw e-mail | index | archive | help
--y7usnuzPuAYJm2Y4 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello pf@ (the context is a 12.2-p10 host and various bhyve guests) What's the best way to have pf protect the host (on igb0) but=20 leave the traffic for the tap devices unexamined? It seems, for example set skip on $tap_ifs where $tap_ifs is a macro containing four tap devices, doesn't do what's=20 needed. In this context, igb0 is bridged with the tap devices. Traffic=20 still gets hit by pf block rules on the host despite being for the vm behind the tap device(s). Is a different approach needed? Do I need to use vlans? The bhyhe guests need to have real routable IPs and both the host and the guests are on the same subnet. The desired outcome was previously achieved with a hardware firewall in front of the bhyve host. I'm not sure if this is possible with freebsd's pf. Maybe it is with openbsd's? I understand that we have pci passthru with bhyve+openbsd guests now. thanks, --=20 J. --y7usnuzPuAYJm2Y4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmF+kKgACgkQs8o7QhFz NAWBMw//ZTuU+lvbAhZF5qYz92x2iE8EPsST08c0HwiKOlyp5sHWZ7lCiUs5ZoL8 2mc3BRFuMGaY6ZONLp+k1SETfEjSDCqHen3GftlGmaUX81+29z0Eof3HgBITc0+b NRSJunvp+fXRRmIk61s+XgZ8lkbrw0spVvzdvNFjg65JPkBYzrC8aYyirHWyreEI 1kdkd5RkCafA4p94Pyre9kuzcD1fLeYl6s3zauwbJkChG7Ui8pOssMX7YJzk153N UsQe/zR4TesmbKwYKOnH88/mt32aTPFu+ko5GHppW0KI0MkgCuH0PvYAHJ7jU3Ro YpBsCnwuYiipjbh2RzCwRqBh80idkh1VKWgsYT7rDKgsiAoQBXOpmY79SNptOtY+ nc7B2s3IIy5oxqsVFgQ4a0/rEoiUqi2g/sCLq/tOJ5mcJBI8lrABBK3uz7CYplhB B0XuNmyhmR5Q2hPAUqcvpEwdWUK2AubLygv6YRitPorRKeyoGbZTVr060sZYt03A NMu1YSFNVbEWKTJtAsx0frdAl7hHrwQ7gWe+T+VkI/AhUh9s8j0YGvJhUwBy61CW poUQWIpHL73oCbxF5x/Oj51tE07r/dvldmLy0OgemMceXi+qlzLtScfYdRtlJDRJ A745sdqq1W/INFiBJRJOGE+7b+0t6BrfnrViPI9aWkSyKcoCuAU= =Cb3a -----END PGP SIGNATURE----- --y7usnuzPuAYJm2Y4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YX6QsJmdJt4xeDPC>