Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Dec 2021 16:17:57 -0600
From:      Matthew Grooms <mgrooms@shrew.net>
To:        freebsd-stable@freebsd.org
Subject:   missing bridge sysctl options
Message-ID:  <1cbc314c-f861-0a7f-9bfb-2fc0d0501756@shrew.net>
next in thread | raw e-mail | index | archive | help 
Hey Everyone,

I went to add a few bridge interfaces to a production firewall today and 
went to set packet filter options for the interfaces as described in the 
IF_BRIDGE(4) man page section for 12.2-RELEASE-p7. However, all the pfil 
net.link.bridge sysctl values are absent on both my firewall hosts ...

root@fw1:~ # sysctl -a | grep bridge
dev.isab.0.%desc: PCI-ISA bridge
dev.ahciem.0.%desc: AHCI enclosure management bridge
dev.hostb.1.%desc: Host to PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.pcib.7.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.netmap.bridge_batch: 1024

Not sure whats going on here as the man page states there should be 
options here to control this ...

PACKET FILTERING
      Packet filtering can be used with any firewall package that hooks 
in via
      the pfil(9) framework.  When filtering is enabled, bridged packets 
will
      pass through the filter inbound on the originating interface, on the
      bridge interface and outbound on the appropriate interfaces.  Either
      stage can be disabled.  The filtering behaviour can be controlled 
using
      sysctl(8):
...
      net.link.bridge.pfil_member      Set to 1 to enable filtering on the
                                       incoming and outgoing member 
interfaces,
                                       set to 0 to disable it.

      net.link.bridge.pfil_bridge      Set to 1 to enable filtering on the
                                       bridge interface, set to 0 to disable
                                       it.
...

I also see recent mailing list posts that make mention of using these 
options on 12.2-RELEASE, so I don't think it's normal.

Any ideas or suggestions?

Thanks,

-Matthew

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1cbc314c-f861-0a7f-9bfb-2fc0d0501756>