pf on bridge interface not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

pf on bridge interface not working

Eric Zylstra
This came through to me from the list with “no content”, so I’m trying again.
——————————

My box has three interfaces, dc0 to manage, em0 and em1 for bridging external LAN to internal LAN.

    hostname.em0: up
    hostname.em1: up
    hostname.bridge0: add em0 add em1 up

Bridge works, traffic flows across no problem.

Add filtering.
 pf.conf:
    filtered = "{ em1 }”
    not_filtered = "{ lo, dc0, em0, bridge0 }”
    block log on $filtered
    set skip on $not_filtered

`doas pfctl -sr`
block drop log on em1 all

`tcpdump -nettti pflog0` shows lots of filtered packets. Traffic is blocked.

-But-
make one simple change to filter on the bridge0 interface—

pf.conf:
    filtered = "{ bridge0 }”
    not_filtered = "{ lo, dc0, em0, em1 }”
    block log on $filtered
    set skip on $not_filtered

`doas pfctl -sr`
block drop log on bridge0 all

traffic is NOT blocked and everything flows right on through. (!?)
`tcpdump -nettti pflog0` shows no packets being filtered.

Am I overlooking something?

E

Reply | Threaded
Open this post in threaded view
|

Re: pf on bridge interface not working

Erling Westenvik-2
On Sat, Feb 20, 2021 at 04:17:11PM -0600, Eric Zylstra wrote:

> -But-
> make one simple change to filter on the bridge0 interface—
>
> pf.conf:
>     filtered = "{ bridge0 }”
>     not_filtered = "{ lo, dc0, em0, em1 }”
>     block log on $filtered
>     set skip on $not_filtered
>
> `doas pfctl -sr`
> block drop log on bridge0 all
>
> traffic is NOT blocked and everything flows right on through. (!?)
> `tcpdump -nettti pflog0` shows no packets being filtered.
>
> Am I overlooking something?

Perhaps this from bridge(4):

--8<--
NOTES
Bridged packets pass through pf(4) filters once as input on the receiving
interface and once as output on all interfaces on which they are
forwarded.  In order to pass through the bridge packets must pass any in
rules on the input and any out rules on the output interface.  Packets
may be blocked either entering or leaving the bridge.
-->8--

I partly recall a phrasing that I cannot find again now, unsure whether
it was from a manpage or from the FAQ; Something along: "Due to the
nature of bridged interfaces [...] you really have to understand this
very well to do [packet filtering] right".

Erling