Date: Fri, 18 Apr 2008 21:23:28 +0100 From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk> To: freebsd-pf@freebsd.org Subject: Re: PF + if_bridge + NAT anomaly Message-ID: <48090340.50200@jcornwall.me.uk> In-Reply-To: <4807E452.4090304@jcornwall.me.uk> References: <4807E452.4090304@jcornwall.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Jay L. T. Cornwall wrote:
> Even without 'block out all', the simple presence of:
> pass out quick on $bridge_if
>
> Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
> are passing to the WAN (and being filtered upstream). What is causing
> NAT to stop functioning by the presence of a loose rule? Does the
> default 'pass all' have additional flags necessary for NAT to function
> correctly?
OK, I've solved this. Kind of.
By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default
1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on
bridge0 is still required even though if_bridge(4) would suggest otherwise:
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.
OK, whatever. :)
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48090340.50200>