On 10 Jul 2020, at 22:37, Ultima wrote:
Hey Kristof,
(It’s already possible to use pf on top of a bridge in
bump-in-the-wire mode. Given the gotchas in that code I **strongly**
recommend people don’t use that functionality.)
Do you mind going into details on the gotchas or providing links?
I am reluctant to, because people will delude themselves into believing
they can avoid the landmines.
The entire way this feature is implemented is wrong, and you cannot
reliably avoid the landmines. If you use it at some point you will find
yourself spread out over the landscape.
That said, very briefly, (and understand that it **will** blow up in
your face when it’s most annoying): the way this feature works is by
stripping off the ethernet header, passing the IP packet to pf, and then
re-adding the ethernet header once pf is done with it.
This explodes spectacularly if you do something that causes the packet
to not be returned by pf, such as a route-to/reply-to rule, or anytime
IPv6 fragmentation is involved.
Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
