pf on bridge interface not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

pf on bridge interface not working

Eric Zylstra
My box has three interfaces, dc0 to manage, em0 and em1 for bridging external LAN to internal LAN. 

 

hostname.em0:

up



hostname.em1:

up



hostname.bridge0:

add em0

add em1

up



Bridge works, traffic flows across no problem.



Now add filtering.

pf.conf:

filtered = "{ em1 }"
not_filtered = "{ lo, dc0, em0, bridge0 }"
block log on $filtered
set skip on $not_filtered


`tcpdump -nettti pflog0` shows lots of filtered packets.


-But- make one simple change to filter on the bridge0 interface--
pf.conf:

filtered = "{ bridge0 }"
not_filtered = "{ lo, dc0, em0, em1 }"
block log on $filtered
set skip on $not_filtered


> doas pfctl -f /etc/pf.conf

> doas pfctl -sr

block drop log on bridge0 all



Despite the rules displayed by pfctl, traffic is NOT filtered. (!?) 
`tcpdump -nettti pflog0` shows no packets being filtered.



What am I overlooking?



E





Reply | Threaded
Open this post in threaded view
|

Re: pf on bridge interface not working

Stuart Henderson
On 2021-02-20, Eric Zylstra <[hidden email]> wrote:

> -But- make one simple change to filter on the bridge0 interface--
> pf.conf:
>
> filtered = "{ bridge0 }"
> not_filtered = "{ lo, dc0, em0, em1 }"
> block log on $filtered
> set skip on $not_filtered
>
>
>> doas pfctl -f /etc/pf.conf
>
>> doas pfctl -sr
>
> block drop log on bridge0 all
>
>
>
> Despite the rules displayed by pfctl, traffic is NOT filtered. (!?) 
> `tcpdump -nettti pflog0` shows no packets being filtered.
>
>
>
> What am I overlooking?

bridge(4) doesn't work like that on OpenBSD. You need to filter the member
ports instead.

On the whole bridge and PF interactions are a bit complicated. Keep an eye
out for veb(4) (https://marc.info/?l=openbsd-tech&m=161335364329307&w=2)
which maybe coming to a tree near you soon which will simplify things a lot.


Reply | Threaded
Open this post in threaded view
|

Re: pf on bridge interface not working

Eric Zylstra
In reply to this post by Eric Zylstra



On February 21, 2021 at 5:32 AM, Stuart Henderson <[hidden email]> wrote:


On 2021-02-20, Eric Zylstra <[hidden email]> wrote:

-But- make one simple change to filter on the bridge0 interface--
pf.conf:


filtered = "{ bridge0 }"
not_filtered = "{ lo, dc0, em0, em1 }"
block log on $filtered
set skip on $not_filtered




doas pfctl -f /etc/pf.conf


doas pfctl -sr


block drop log on bridge0 all






Despite the rules displayed by pfctl, traffic is NOT filtered. (!?) 
`tcpdump -nettti pflog0` shows no packets being filtered.






What am I overlooking?

bridge(4) doesn't work like that on OpenBSD. You need to filter the member
ports instead.


Interesting.  I'm certain I was doing this 8-10 years ago.


On the whole bridge and PF interactions are a bit complicated.


That also was part of my memory--that it wasn't advised and behaved in interesting and fabulous ways (well, unexpected and not great ways).

 
Keep an eye
out for veb(4) (https://marc.info/?l=openbsd-tech&m=161335364329307&w=2)
which maybe coming to a tree near you soon which will simplify things a lot.


Cool.


E