aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2022-10-14 05:57:33 +0000
committerKristof Provost <kp@FreeBSD.org>2022-10-24 06:52:21 +0000
commit22893e584032f22f24cae8e8b1b77ea70e83bd69 (patch)
tree641bed3ff61c4d3f2d959954ee909c940ffc8764
parent2db785aa01eb575fbd6d5ba024099f9100913ee3 (diff)
downloadsrc-22893e584032.tar.gz
src-22893e584032.zip
bridge: default to not filtering L3
Change the default for net.link.bridge.pfil_member and net.link.bridge.pfil_bridge to zero. That is, default to not calling layer 3 firewalls on the bridge or its member interfaces. With either of these enabled the bridge will, during L2 processing, remove the Ethernet header from packets, feed them to L3 firewalls, re-add the Ethernet header and send them out. Not only does this interact very poorly with firewalls which defer packets, or reassemble and refragment IPv6, it also causes considerable confusion for users, because the firewall gets called in unexpected ways. For example, a bridge which contains a bhyve tap and the host's LAN interface. We'd expect traffic between the LAN and bhyve VM to pass, no matter what (layer 3) firewall rules are set on the host. That's not the case as long as pfil_bridge or pfil_member are set. Reviewed by: Zhenlei Huang MFC: never Differential Revision: https://reviews.freebsd.org/D37009
-rw-r--r--sys/net/if_bridge.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index f2538a78f943..e8e552aa1853 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -415,7 +415,7 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip,
"Only pass IP packets when pfil is enabled");
/* run pfil hooks on the bridge interface */
-VNET_DEFINE_STATIC(int, pfil_bridge) = 1;
+VNET_DEFINE_STATIC(int, pfil_bridge) = 0;
#define V_pfil_bridge VNET(pfil_bridge)
SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge,
CTLFLAG_RWTUN | CTLFLAG_VNET, &VNET_NAME(pfil_bridge), 0,
@@ -433,7 +433,7 @@ SYSCTL_INT(_net_link_bridge, OID_AUTO, ipfw_arp,
"Filter ARP packets through IPFW layer2");
/* run pfil hooks on the member interface */
-VNET_DEFINE_STATIC(int, pfil_member) = 1;
+VNET_DEFINE_STATIC(int, pfil_member) = 0;
#define V_pfil_member VNET(pfil_member)
SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member,
CTLFLAG_RWTUN | CTLFLAG_VNET, &VNET_NAME(pfil_member), 0,