Date: Mon, 24 Oct 2022 17:34:58 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 22893e584032 - main - bridge: default to not filtering L3 Message-ID: <E4F14C56-7283-40FF-BE91-F844BADF3787@FreeBSD.org> In-Reply-To: <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd> References: <202210240853.29O8rDHe091720@gitrepo.freebsd.org> <20221024152758.ofwhfcdfdslm5cbs@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Oct 2022, at 17:27, Shawn Webb wrote: > On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote: >> The branch main has been updated by kp: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=3D22893e584032f22f24cae8e= 8b1b77ea70e83bd69 >> >> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69 >> Author: Kristof Provost <kp@FreeBSD.org> >> AuthorDate: 2022-10-14 05:57:33 +0000 >> Commit: Kristof Provost <kp@FreeBSD.org> >> CommitDate: 2022-10-24 06:52:21 +0000 >> >> bridge: default to not filtering L3 >> >> Change the default for net.link.bridge.pfil_member and >> net.link.bridge.pfil_bridge to zero. >> >> That is, default to not calling layer 3 firewalls on the bridge or= its >> member interfaces. >> >> With either of these enabled the bridge will, during L2 processing= , >> remove the Ethernet header from packets, feed them to L3 firewalls= , >> re-add the Ethernet header and send them out. >> >> Not only does this interact very poorly with firewalls which defer= >> packets, or reassemble and refragment IPv6, it also causes conside= rable >> confusion for users, because the firewall gets called in unexpecte= d >> ways. >> >> For example, a bridge which contains a bhyve tap and the host's LA= N >> interface. We'd expect traffic between the LAN and bhyve VM to pas= s, no >> matter what (layer 3) firewall rules are set on the host. That's n= ot the >> case as long as pfil_bridge or pfil_member are set. >> >> Reviewed by: Zhenlei Huang >> MFC: never >> Differential Revision: https://reviews.freebsd.org/D37009 > > Hey Kristof, > > Would this be a good candidate for RELNOTES? > =E2=80=9CMaybe=E2=80=9D. I struggle to explain it in a way that does not = have an undertone of (or outright says) =E2=80=9COur users don=E2=80=99t = actually know what this does. Remove the foot-gun.=E2=80=9D Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E4F14C56-7283-40FF-BE91-F844BADF3787>