Date: Thu, 2 Dec 2004 09:17:13 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Pyun YongHyeon <yongari@kt-is.co.kr> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem Message-ID: <20041202081713.GO79919@obiwan.tataz.chchile.org> In-Reply-To: <20041202033920.GC12155@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr>
next in thread | previous in thread | raw e-mail | index | archive | help
> Both pf/ipf should see inbound/outbound traffic in order to > create states. But in bridge(4), pfil(9) hook for outbound packet > is absent. ipfw can create states without seeing outbound packet. > Maybe it would be authors intention to reduce overhead by not > checking packets in both directions. > > I guess ipfw can't filter outbound packet in bridged setup too. > > Long time ago, I wrote a patch to add pfil(9) outbound hook > in bridge setup. The patch makes pf's scrub rule work too. > It wouldn't apply to 5.3R but you can see the point. > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch Could we hope to see this patch merged some day ? Are there major drawbacks with this pfil outbound hook in bridge setup ? At first glance, it seems to be cool that pf and ipf perform the same while in routing or bridging mode. Best regards, -- Jeremie Le Hen jeremie@le-hen.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041202081713.GO79919>