Date: Sun, 20 Apr 2008 21:31:58 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF + if_bridge + NAT anomaly Message-ID: <200804202131.58491.max@love2party.net> In-Reply-To: <48090340.50200@jcornwall.me.uk> References: <4807E452.4090304@jcornwall.me.uk> <48090340.50200@jcornwall.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 18 April 2008 22:23:28 Jay L. T. Cornwall wrote: > Jay L. T. Cornwall wrote: > > Even without 'block out all', the simple presence of: > > pass out quick on $bridge_if > > > > Causes NAT to stop. tcpdump on vr1 shows that packets with private > > IPs are passing to the WAN (and being filtered upstream). What is > > causing NAT to stop functioning by the presence of a loose rule? Does > > the default 'pass all' have additional flags necessary for NAT to > > function correctly? > > OK, I've solved this. Kind of. > > By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default > 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on > bridge0 is still required even though if_bridge(4) would suggest > otherwise: > > net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge > interface, set to 0 to disable it. > > OK, whatever. :) fintering on a bridge is a bit tricky. I think what happend in your scenario is that a state was created for the flow on *IN* bridge0 which would then prevent NAT from happening. Would you be up to share your complete working setup for future reference? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804202131.58491.max>