From owner-freebsd-ipfw@freebsd.org Sat Oct 24 14:47:43 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C59B44B98B for ; Sat, 24 Oct 2020 14:47:43 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CJP8Z3Vk8z4dky for ; Sat, 24 Oct 2020 14:47:42 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: by mail-ej1-x632.google.com with SMTP id d6so1934732ejb.11 for ; Sat, 24 Oct 2020 07:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version:content-language :thread-index; bh=U+xifj9oDm2HVDeFvOKPpDSjn1uY/VvLowILWiW7Rsw=; b=KmA+WdQaS6yDIdpEX+l0s/UpoRpG3zQQJWW6ljc0hqdmB6Zg+xXFyTCXr3Ks8qBOo3 Uah1hF8Coc48sBeESlWwJqPKxg9IPN7sDzwVhSpVzpx1MKmSrd0+gatXjt9KJ3/NQL5D /rH9o5n1VfCs0Cjxnep3HNykD2UsvHm61VVeOLgYhSbRGNjQRxfYocOQziFOE0R7nxkn AXAjm1W3XKTid+Tn77AT9LiooT2gOgJQ5fqZXTQSdK4lNhBxJgSVaTjeLv1Jzy1tCVRe VWUPezv5ADwV9U4catNwvm+5g3wMB46doiZdOIVHYZv1dbW3iZWFTaey9i7fPDIySQwV 6+6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-language:thread-index; bh=U+xifj9oDm2HVDeFvOKPpDSjn1uY/VvLowILWiW7Rsw=; b=AK4ak4+qQH0rarGYPmoq94qVl2yzmEMuxGAfhjFA0ZTLiBN0yDLw9Eyw4OFMJmKQyD PH43UJhEKe2LYHyqkZJfqoF2PaYDK92ZPvkFfgEKtfNnV+/ruJ3SzuBfYnx4ThRAWsfI GFlPjGSa4S20vrze8qDdx8pd14pb9M/mkcqksplzJZw+6i249/Afa5hAijnSxkY3Ngbi HMQCN3r4NhCzc+O7cHvF61toFDBNgGw5pEJDIZ+AsONLXw8yLEZbJTK5qRLtK3NUS6Kr rAZvjMF50o1CxDkq/rPPRBYG+3iVYraMQoIZTd+JfI4+bO4GZPaVKep3SWCth3YPszgd 580g== X-Gm-Message-State: AOAM5301KnKzxxn3A1bC/CLg0BqpZ2yOZBhd2jyqGu1NU27Uj8Hqld3L HnBhNZV+mC8kd71rvOEdQWHR6GThc1DEPA== X-Google-Smtp-Source: ABdhPJw5oWP/jPdEZuwbYmxuUMBDBachSM03tTLAPSogYthkl81MQE1FD7twUBo8jakfklb+LJNrRg== X-Received: by 2002:a17:906:f6d8:: with SMTP id jo24mr4900488ejb.173.1603550860024; Sat, 24 Oct 2020 07:47:40 -0700 (PDT) Received: from DRIESPC (ptr-8sijbm77m4fpx0mid63.18120a2.ip6.access.telenet.be. [2a02:1811:2505:1601:9c7b:6d8f:5315:392b]) by smtp.gmail.com with ESMTPSA id k10sm2357302ejh.32.2020.10.24.07.47.39 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Oct 2020 07:47:39 -0700 (PDT) From: To: Subject: Converting net.link.bridge.pfil_bridge=0 and net.link.bridge.pfil_member=0 to explicit rules Date: Sat, 24 Oct 2020 16:47:40 +0200 Message-ID: <003001d6aa14$9f93f4f0$debbded0$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Language: en-be Thread-Index: AdaqFJyVMUg7Gt8aQ6SuQ4qWldxZfg== X-Rspamd-Queue-Id: 4CJP8Z3Vk8z4dky X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=KmA+WdQa; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of driesmmichiels@gmail.com designates 2a00:1450:4864:20::632 as permitted sender) smtp.mailfrom=driesmmichiels@gmail.com X-Spamd-Result: default: False [-3.76 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.73)[-0.733]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.028]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.998]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; FROM_NO_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::632:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ipfw] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2020 14:47:43 -0000 Hi IPFW mailing list, I'm trying to mimmic the bahavior in explicit rules of the following sysctl's: * net.link.bridge.pfil_bridge=0 * net.link.bridge.pfil_member=0 >From what I understand the first one disables filtering the bridge, so incomming packets on the bridge need not be allowed explicitly. The second one does the same for the members, for both in and outgoing on a member of the bridge. So lets say I have em0 as a member which is my WAN connection and igb0.10 as a vlan bridge member for IPTV on my LAN. I have tried the following rules trying to mimmic the behavior of the sysctl: * allow ip from any to any in via em0 in via bridge0 * allow ip from any to any in via igb0.10 in via bridge0 * allow ip from any to any in via em0 out via igb0.10 * allow ip from any to any in via igb0.10 out via em0 I can't seem to figure out on how to mimmic the sysctl behavior. The reason why I need to disable the syctl's and convert to explicit rules is because I'm going to add an extra bridge with a private address space. So packets on this bridge do need to get injected in IPFW for NAT and can't just get skipped by setting the sysctl knobs. For now I only have on bridge where I just want to pass all traffic and so the sysctl's work fine. Regards, Dries