Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Sep 2004 19:19:36 +0900
From:      Pyun YongHyeon <yongari@kt-is.co.kr>
To:        Lawrence Farr <freebsd-isp@epcdirect.co.uk>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Bridging
Message-ID:  <20040923101936.GA13003@kt-is.co.kr>
In-Reply-To: <20040923095026.F3DD167EF1@gunfright.epcdirect.co.uk>
References:  <mailman.0.1095856427.15551.freebsd-pf@freebsd.org> <20040923095026.F3DD167EF1@gunfright.epcdirect.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Sep 23, 2004 at 10:50:27AM +0100, Lawrence Farr wrote:
 > I'm trying to get bridging with filtering to work on 5.3B5,
 > and cant seem to get pf to filter anything on the bridged
 > interface.  Should there be a net.link.ether.bridge.pf
 > sysctl?. I have the following two rules as a test:
 > 

Last time I saw the bridge code, pf's filtering function
was only called on inbound packet. I guess this was for ipfw's
optimization since ipfw can create a state with inbound traffic.
However both pf and ipf should see inbound/outbound packet
in order to create a *real* state. At presnet if you want to
filter on bridge environments you can do filtering without
creating states for inbound traffic.

Patching bridge code to make pf/ipf see inbound/outbound is trivial.
But it is not sufficient for pf to function correctly.(bridge(4)
should be taught to handle fragmentation since pf can reassemble
fragmented IP datagrams with scrub rules.)

Personally I think OID like net.link.ether.bridge.pf is not needed
since pf can enable/disable its running state with pfctl(8).
(ipfw had no such capability) There are plans to improve
current situations in bridge environments, but it's not for
5.3R.

 > block drop log on fxp3 all
 > block return quick on fxp3 proto tcp from any to any port = http
 > 
 > fxp3 being the bridge interface. The traffic gets through
 > unfiltered. Am I just missing something obvious?
 > 
 > Regards,
 > 
 > Lawrence Farr
 > 

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040923101936.GA13003>