From nobody Wed Dec 22 22:17:57 2021
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8157C19015E7
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Wed, 22 Dec 2021 22:18:06 +0000 (UTC)
	(envelope-from mgrooms@shrew.net)
Received: from mx1.shrew.net (mx1.shrew.net [38.97.5.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JK74Y1lV9z4sgB
	for <freebsd-stable@freebsd.org>; Wed, 22 Dec 2021 22:18:05 +0000 (UTC)
	(envelope-from mgrooms@shrew.net)
Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20])
	by mx1.shrew.net (8.15.2/8.15.2) with ESMTP id 1BMMHw6e083106
	for <freebsd-stable@freebsd.org>; Wed, 22 Dec 2021 16:17:58 -0600 (CST)
	(envelope-from mgrooms@shrew.net)
Received: from [10.22.200.30] (unknown [136.49.68.36])
	by mail.shrew.net (Postfix) with ESMTPSA id 85C0119D51C
	for <freebsd-stable@freebsd.org>; Wed, 22 Dec 2021 16:17:53 -0600 (CST)
Message-ID: <1cbc314c-f861-0a7f-9bfb-2fc0d0501756@shrew.net>
Date: Wed, 22 Dec 2021 16:17:57 -0600
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.4.0
Content-Language: en-US
To: freebsd-stable@freebsd.org
From: Matthew Grooms <mgrooms@shrew.net>
Subject: missing bridge sysctl options
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.shrew.net [10.24.10.10]); Wed, 22 Dec 2021 16:17:58 -0600 (CST)
X-Rspamd-Queue-Id: 4JK74Y1lV9z4sgB
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of mgrooms@shrew.net designates 38.97.5.131 as permitted sender) smtp.mailfrom=mgrooms@shrew.net
X-Spamd-Result: default: False [-2.78 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.99)[-0.990];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCVD_COUNT_THREE(0.00)[3];
	 DMARC_NA(0.00)[shrew.net];
	 NEURAL_HAM_SHORT(-0.49)[-0.494];
	 FROM_EQ_ENVFROM(0.00)[];
	 RCVD_TLS_LAST(0.00)[];
	 R_DKIM_NA(0.00)[];
	 ASN(0.00)[asn:174, ipnet:38.0.0.0/8, country:US];
	 MIME_TRACE(0.00)[0:+];
	 MID_RHS_MATCH_FROM(0.00)[];
	 RECEIVED_SPAMHAUS_PBL(0.00)[136.49.68.36:received]
X-ThisMailContainsUnwantedMimeParts: N

Hey Everyone,

I went to add a few bridge interfaces to a production firewall today and 
went to set packet filter options for the interfaces as described in the 
IF_BRIDGE(4) man page section for 12.2-RELEASE-p7. However, all the pfil 
net.link.bridge sysctl values are absent on both my firewall hosts ...

root@fw1:~ # sysctl -a | grep bridge
dev.isab.0.%desc: PCI-ISA bridge
dev.ahciem.0.%desc: AHCI enclosure management bridge
dev.hostb.1.%desc: Host to PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.pcib.7.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.netmap.bridge_batch: 1024

Not sure whats going on here as the man page states there should be 
options here to control this ...

PACKET FILTERING
      Packet filtering can be used with any firewall package that hooks 
in via
      the pfil(9) framework.  When filtering is enabled, bridged packets 
will
      pass through the filter inbound on the originating interface, on the
      bridge interface and outbound on the appropriate interfaces.  Either
      stage can be disabled.  The filtering behaviour can be controlled 
using
      sysctl(8):
...
      net.link.bridge.pfil_member      Set to 1 to enable filtering on the
                                       incoming and outgoing member 
interfaces,
                                       set to 0 to disable it.

      net.link.bridge.pfil_bridge      Set to 1 to enable filtering on the
                                       bridge interface, set to 0 to disable
                                       it.
...

I also see recent mailing list posts that make mention of using these 
options on 12.2-RELEASE, so I don't think it's normal.

Any ideas or suggestions?

Thanks,

-Matthew