d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
22893e5840
freebsd-dev/sys/net
History
Kristof Provost 22893e5840 bridge: default to not filtering L3 
Change the default for net.link.bridge.pfil_member and
net.link.bridge.pfil_bridge to zero.

That is, default to not calling layer 3 firewalls on the bridge or its
member interfaces.

With either of these enabled the bridge will, during L2 processing,
remove the Ethernet header from packets, feed them to L3 firewalls,
re-add the Ethernet header and send them out.

Not only does this interact very poorly with firewalls which defer
packets, or reassemble and refragment IPv6, it also causes considerable
confusion for users, because the firewall gets called in unexpected
ways.

For example, a bridge which contains a bhyve tap and the host's LAN
interface. We'd expect traffic between the LAN and bhyve VM to pass, no
matter what (layer 3) firewall rules are set on the host. That's not the
case as long as pfil_bridge or pfil_member are set.

Reviewed by:	Zhenlei Huang
MFC:		never
Differential Revision:	https://reviews.freebsd.org/D37009
2022-10-24 08:52:21 +02:00
..
altq net: remove stale altq_input reference 2022-09-07 10:03:12 +00:00
route netlink: add netlink support 2022-10-01 14:15:35 +00:00
bpf_buffer.c
bpf_buffer.h
bpf_filter.c bpf(3): Grammar fix for a source code comment 2022-09-04 17:30:05 +02:00
bpf_jitter.c
bpf_jitter.h
bpf_zerocopy.c
bpf_zerocopy.h
bpf.c bpf: obtain timestamps from controller via pkthdr if available 2022-10-03 18:53:40 -04:00
bpf.h bpf: Correct a comment 2022-06-20 12:48:13 -04:00
bpfdesc.h bpf: Add an ioctl to set the VLAN Priority on packets sent by bpf 2021-07-26 23:13:31 +02:00
bridgestp.c bridgestp: validate timer values in config BPDU 2021-04-19 12:09:18 +02:00
bridgestp.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
debugnet_inet.c debugnet: Fix false-positive assertions for dp_state 2021-07-28 16:34:14 -07:00
debugnet_int.h
debugnet.c debugnet: Fix an error handling bug in the DDB command tokenizer 2022-06-16 10:05:10 -04:00
debugnet.h debugnet: Fix a typo in a source code comment 2022-08-07 16:07:01 +02:00
dlt.h net(4): Fix a typo in a source code comment 2022-04-02 14:57:06 +02:00
ethernet.h net(3): Fix a typo in a source code comment 2022-04-02 10:53:40 +02:00
firewire.h
ieee8023ad_lacp.c lacp: Remove racy kassert 2022-06-13 11:32:10 -04:00
ieee8023ad_lacp.h lacp: short timeout erroneously declares link-flapping 2022-04-27 12:41:30 -07:00
ieee_oui.h Remove "All Rights Reserved" from FreeBSD Foundation sys/ copyrights 2021-08-08 10:42:24 -04:00
if_arp.h
if_bridge.c bridge: default to not filtering L3 2022-10-24 08:52:21 +02:00
if_bridgevar.h net: make if_bridgevar.h self-contained 2021-12-17 12:38:35 +01:00
if_clone.c if_clone: add ifc_link_ifp() / ifc_unlink_ifp() to the KPI 2022-09-24 19:42:42 +00:00
if_clone.h if_clone: add ifc_link_ifp() / ifc_unlink_ifp() to the KPI 2022-09-24 19:42:42 +00:00
if_dead.c Add a switch structure for send tags. 2021-09-14 11:43:41 -07:00
if_disc.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_dl.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
if_edsc.c
if_enc.c
if_enc.h
if_epair.c if_epair: fix build with RSS 2022-10-03 17:02:55 +02:00
if_ethersubr.c ether_resolve_addr: eh is only used for INET or INET6. 2022-04-13 16:08:21 -07:00
if_fwsubr.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_gif.c if_gif: fix vnet shutdown panic 2021-11-08 12:00:00 +01:00
if_gif.h
if_gre.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_gre.h
if_infiniband.c infiniband_resolve_addr: ih is only used for INET or INET6. 2022-04-13 16:08:21 -07:00
if_ipsec.c Use network epoch to protect local IPv4 addresses hash. 2021-10-22 14:40:53 -07:00
if_ipsec.h
if_lagg.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_lagg.h lagg: fix lagg ifioctl after SIOCSIFCAPNV 2022-07-28 10:39:00 -04:00
if_llatbl.c if_llatbl: Fix a typo in a debug statement 2022-06-04 15:22:09 +02:00
if_llatbl.h netinet6: Fix mbuf leak in NDP 2022-05-31 21:06:14 +00:00
if_llc.h
if_loop.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_me.c if_me: Use dedicated network privilege 2022-10-15 17:05:36 +02:00
if_media.c if_media.c SIOCGMEDIAX handler: improve loop 2020-11-03 14:33:04 +00:00
if_media.h if_media: definitions for 40GE LM4 ethernet media type 2020-09-16 14:45:16 +00:00
if_mib.c ifnet: make V_if_index static to if.c 2021-12-06 09:32:31 -08:00
if_mib.h
if_ovpn.c if_ovpn: add sysctls for netisr_queue() and crypto_dispatch_async() 2022-10-24 10:08:35 +02:00
if_ovpn.h if_ovpn(4): implement ioctl() to set if_flags 2022-10-17 15:33:45 +02:00
if_pflog.h pflog: align header to 4 bytes, not 8 2022-02-01 18:17:44 +01:00
if_pfsync.h pf: make if_pfsync.h self-contained 2021-12-17 12:38:35 +01:00
if_stf.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_stf.h if_stf: make if_stf.h self-contained 2021-12-17 12:38:34 +01:00
if_tap.h
if_tun.h
if_tuntap.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_types.h net(3): Fix a typo in a source code comment 2022-04-02 09:41:10 +02:00
if_var.h ifp: add if_setdescr() / if_freedesrt() methods 2022-09-24 19:42:42 +00:00
if_vlan_var.h vlan: deduplicate bpf_setpcp() and pf_ieee8021q_setpcp() 2021-07-26 23:13:31 +02:00
if_vlan.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_vxlan.c if_vxlan(4): Correct the statistic for output bytes 2022-10-07 13:45:16 +02:00
if_vxlan.h if_vxlan(4): add support for hardware assisted checksumming, TSO, and RSS. 2020-09-18 02:37:57 +00:00
if.c ifp: add if_setdescr() / if_freedesrt() methods 2022-09-24 19:42:42 +00:00
if.h arp: Implement sticky ARP mode for interfaces. 2022-05-27 12:41:30 +00:00
ifdi_if.m iflib: add support for admin completion queues 2021-03-03 00:40:47 +01:00
iflib_clone.c Create wrapper for Giant taken for newbus 2021-12-09 17:04:45 -07:00
iflib_private.h
iflib.c iflib: Introduce v2 of TX Queue Select Functionality 2022-10-17 14:59:55 -07:00
iflib.h iflib: Introduce v2 of TX Queue Select Functionality 2022-10-17 14:59:55 -07:00
ifq.h Make net/ifq.h C++ friendly 2020-11-20 14:45:45 +00:00
infiniband.h Factor out generic IP over infiniband, IPoIB, definitions and code 2020-10-22 09:09:53 +00:00
mp_ring.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
mp_ring.h
mppc.h
mppcc.c
mppcd.c
netisr_internal.h
netisr.c netisr(9): Fix a typo in a source code comment 2022-09-03 15:04:15 +02:00
netisr.h
netmap_legacy.h netmap: add kernel support for the "offsets" feature 2021-03-29 16:29:01 +00:00
netmap_user.h netmap: fix refcount bug in netmap allocator 2022-03-06 16:39:16 +00:00
netmap_virt.h netmap: add kernel support for the "offsets" feature 2021-03-29 16:29:01 +00:00
netmap.h netmap: several typo fixes 2021-04-02 07:01:20 +00:00
paravirt.h
pfil.c net: add pfil_mbuf_{in,out} 2022-09-08 16:20:43 +00:00
pfil.h net: add pfil_mbuf_{in,out} 2022-09-08 16:20:43 +00:00
pfkeyv2.h Add SADB_SAFLAGS_ESN flag 2020-10-16 11:22:29 +00:00
pfvar.h pf: atomically increment state ids 2022-10-08 18:27:29 +02:00
ppp_defs.h
radix.c net: constantify radix.c functions 2022-08-01 07:32:40 +00:00
radix.h net: constantify radix.c functions 2022-08-01 07:32:40 +00:00
rndis.h Hyper-V: hn: Enable vSwitch RSC support in hn netvsc driver 2021-03-12 04:35:16 +00:00
route.c netlink: add netlink support 2022-10-01 14:15:35 +00:00
route.h protosw: retire pr_slowtimo and pr_fasttimo 2022-08-17 11:50:31 -07:00
rss_config.c Revert "wpa: Import wpa_supplicant/hostapd commit 14ab4a816" 2021-12-02 14:45:04 -08:00
rss_config.h
rtsock.c netlink: add netlink support 2022-10-01 14:15:35 +00:00
sff8436.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
sff8472.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
slcompress.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
slcompress.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
toeplitz.c
toeplitz.h
vnet.c ddb: annotate some commands with DB_CMD_MEMSAFE 2022-07-18 22:06:09 +00:00
vnet.h IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8 2022-07-13 09:46:05 -05:00