From owner-freebsd-pf@FreeBSD.ORG  Thu Nov 27 12:58:40 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7E9811065675
	for <freebsd-pf@freebsd.org>; Thu, 27 Nov 2008 12:58:40 +0000 (UTC)
	(envelope-from chflags@gmail.com)
Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com
	[209.85.221.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 233D08FC25
	for <freebsd-pf@freebsd.org>; Thu, 27 Nov 2008 12:58:40 +0000 (UTC)
	(envelope-from chflags@gmail.com)
Received: by qyk11 with SMTP id 11so1230766qyk.19
	for <freebsd-pf@freebsd.org>; Thu, 27 Nov 2008 04:58:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:reply-to
	:to:subject:mime-version:content-type:content-transfer-encoding
	:content-disposition;
	bh=iRWjB4bKGOD7CRu2/XQvrPvW3Rcn63xZ2auY0oxWJwI=;
	b=hPV/IlrWGU3uBle0cGn0yVceKBbthegom9YF27J5dVvoB7/ZBRzYuQ5y8pKTRchpCi
	bQ4AYJqXXgTpvhlaNl9bCautJViSx+zh9YjOvBl1cZj+zYr2Lzrwkw7+sBgA5rvbrfaJ
	iCNflDOWagnCGo/HfRWqiDBdrrbo04BMtJ8kU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:reply-to:to:subject:mime-version:content-type
	:content-transfer-encoding:content-disposition;
	b=uG8L4QGyHLs2fEJCRoutRW7efDe9EoYOTJxyXm6zWjBCdI4+11yhzR5XMjtkZ36Cmj
	+I5e1bpDO4ZrLf3mBhGAZ1N2CFrbpfwMp3CGt0yJBIes67RINynSlgjuNAs+EVrtpNA/
	1Z25wrfRx3dO0eMKe//rVgtkamhMqRZQq9Im8=
Received: by 10.214.244.14 with SMTP id r14mr6719307qah.93.1227788815458;
	Thu, 27 Nov 2008 04:26:55 -0800 (PST)
Received: by 10.214.147.11 with HTTP; Thu, 27 Nov 2008 04:26:55 -0800 (PST)
Message-ID: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com>
Date: Thu, 27 Nov 2008 20:26:55 +0800
From: "Kevin Foo" <chflags@gmail.com>
To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: 
Subject: if_bridge + pf rdr (bridged inline proxy)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: chflags@gmail.com
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2008 12:58:40 -0000

Hi list,

I recently setup a bridge box with inline cache proxy. if_bridge with
pf filtering was working perfectly. However, squid-cache listening on
loopback device did not get any packets from pf rdr. I have seen
successful setups with OpenBSD's bridge spamd which rather a similar
setup. Is something broken on FreeBSD's if_bridge or am I missing some
configuration here?


pfctl -ss (on bridge box):
------------------
all tcp 127.0.0.1:3128 <- 71.14.235.147:80 <- 192.168.1.100:1041
CLOSED:SYN_SENT
all tcp 192.168.1.100:1041 -> 127.0.0.1:3128     SYN_SENT:CLOSED


Environment
------------------
FreeBSD bridge.mybox 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov
25 22:56:22 MYT 2008
    kev@bridge.mybox:/usr/obj/usr/src/sys/BRIDGE  i386

Squid Cache: Version 2.7.STABLE5 with --enable-pf-transparent


rc.conf:
------------------
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0 addm bge1 up"
ifconfig_bge0="up"
ifconfig_bge1="up"
pf_enable="YES"
squid_enabld="YES"

pf.conf:
------------------
int_if="bge0"
ext_if="bge1"
rdr pass on $int_if inet proto tcp from any to any port 80 ->
127.0.0.1 port 3128
pass in all
pass out all
pass on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128


sysctl net.link.bridge :
------------------
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0


Hping Testing (from client 192.168.1.100):
------------------
hping -S -p 80 -c 10 www.google.com


A quick search on freebsd-pf archive, I found a thread on similar setup in 2004.

http://lists.freebsd.org/pipermail/freebsd-pf/2004-October/000522.html

However, the bridge code of FreeBSD was blamed for poor performance
and lack of functionalities.  A more recent post on freebsd-net
mailing list on similar issue.

http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019556.html

Any ideas? TIA.


P/S : please cc me as I'm not subscribed to freebsd-pf nor freebsd-net
mailing list. Thanks.

-- 
Regards
Kevin Foo