From owner-freebsd-pf@FreeBSD.ORG  Thu Dec  2 08:18:16 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BF3F016A4CE
	for <freebsd-pf@freebsd.org>; Thu,  2 Dec 2004 08:18:16 +0000 (GMT)
Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4AEEF43D53
	for <freebsd-pf@freebsd.org>; Thu,  2 Dec 2004 08:18:16 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org (unknown [82.233.239.98])
	by postfix3-2.free.fr (Postfix) with ESMTP id 47F07C062;
	Thu,  2 Dec 2004 09:18:13 +0100 (CET)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id CD689412C; Thu,  2 Dec 2004 09:17:13 +0100 (CET)
Date: Thu, 2 Dec 2004 09:17:13 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Pyun YongHyeon <yongari@kt-is.co.kr>
Message-ID: <20041202081713.GO79919@obiwan.tataz.chchile.org>
References: <20041201045203.262D443D5C@mx1.FreeBSD.org>
	<20041201110912.GA9840@kt-is.co.kr>
	<7c8f27920412010523730447de@mail.gmail.com>
	<20041202033920.GC12155@kt-is.co.kr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041202033920.GC12155@kt-is.co.kr>
User-Agent: Mutt/1.5.6i
cc: gtg062h@mail.gatech.edu
cc: freebsd-pf@freebsd.org
Subject: Re: FreeBSD bridge + filtering, BIG problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2004 08:18:16 -0000

> Both pf/ipf should see inbound/outbound traffic in order to
> create states. But in bridge(4), pfil(9) hook for outbound packet
> is absent. ipfw can create states without seeing outbound packet.
> Maybe it would be authors intention to reduce overhead by not
> checking packets in both directions.
> 
> I guess ipfw can't filter outbound packet in bridged setup too.
> 
> Long time ago, I wrote a patch to add pfil(9) outbound hook
> in bridge setup. The patch makes pf's scrub rule work too.
> It wouldn't apply to 5.3R but you can see the point.
> 
> http://www.kr.freebsd.org/~yongari/patches/bridge.patch

Could we hope to see this patch merged some day ?  Are there major
drawbacks with this pfil outbound hook in bridge setup ?  At first
glance, it seems to be cool that pf and ipf perform the same while in
routing or bridging mode.

Best regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org