Subject: Re: brconfig and "ipf" to use "pfil" also
To: George Georgalis <george@galis.org>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: tech-kern
Date: 01/12/2006 23:45:12
On Thu, Jan 12, 2006 at 10:20:05AM -0500, George Georgalis wrote:
> >>   pfil     Enable pfil(9) packet filtering on the bridge.  The current
> >>            implementation filters IP and ICMP packets across the bridge
> >>            with the configured packet filter, pf(4) or ipf(4); while ARP
> >>            and RARP packets are passed, unfiltered, through the bridge.
> >
> >This fails to mention IPv6 and does not tell explicitely that other
> >non-IP, non-(R)ARP packets are blocked. Also, the configured packet filter
> >may be something else than pf or ipf, contrary to what your formulation
> >implies. (True, there is no other packet filter available, but if you
> >write a custom one, it should Just Work.)
> 
> I just forgot "other types" and I don't know what happens with ipv6..

Read the code, then. (sys/net/if_bridge.c).

Still, mentioning ICMP is redundant.

>  pfil   Enable pfil(9) packet filtering on the bridge.  The current
>         implementation filters IP and ICMP packets through the bridge
>         with the configured packet filter: pf(4), ipf(4) or your own;

"or any other which uses the pfil(9) framework." is IMHO better. (A filter
different from ipf or pf may not necessarily be "your own", e. g. if
someone submits such filter to pkgsrc.)

BTW what exactly was wrong with my original proposal?

Pavel Cahyna