From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 08:59:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B4EE16A4CE for ; Thu, 2 Dec 2004 08:59:03 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8DCA43D45 for ; Thu, 2 Dec 2004 08:59:02 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB28wAAh085797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 17:58:10 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB28x1Zs013481 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 17:59:01 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB28wwUh013480; Thu, 2 Dec 2004 17:58:58 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 17:58:58 +0900 From: Pyun YongHyeon To: Jeremie Le Hen Message-ID: <20041202085858.GC12562@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> <20041202081713.GO79919@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041202081713.GO79919@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: gtg062h@mail.gatech.edu cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 08:59:03 -0000 On Thu, Dec 02, 2004 at 09:17:13AM +0100, Jeremie Le Hen wrote: > > Both pf/ipf should see inbound/outbound traffic in order to > > create states. But in bridge(4), pfil(9) hook for outbound packet > > is absent. ipfw can create states without seeing outbound packet. > > Maybe it would be authors intention to reduce overhead by not > > checking packets in both directions. > > > > I guess ipfw can't filter outbound packet in bridged setup too. > > > > Long time ago, I wrote a patch to add pfil(9) outbound hook > > in bridge setup. The patch makes pf's scrub rule work too. > > It wouldn't apply to 5.3R but you can see the point. > > > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch > > Could we hope to see this patch merged some day ? Are there major > drawbacks with this pfil outbound hook in bridge setup ? At first AFAIK, none. If ipfw don't want to handle outbound traffic as it was before, it can do that without registering outbound hook. > glance, it seems to be cool that pf and ipf perform the same while in > routing or bridging mode. > I guess andre is working on new hook interface in bridge environments. Once it's done pf/ipf can create real states, I believe. Of course, that is not sufficient to run pf in bridge mode. Scrubbing of pf needs special handling since it has to fragment assembled IP packets and to generate ICMP messages in case of DF bit set. All these work could be done after andre's enhancements. Sorry, I don't want to duplicate work and at present, I have more important pending jobs (at least to me) in sparc64. > Best regards, > -- > Jeremie Le Hen > jeremie@le-hen.org -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org