Re: enabling bridge_ipf

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: enabling bridge_ipf
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Sat, 11 Jul 2020 09:45:33 -0400

Maxime Villard <max%m00nbsd.net@localhost> writes:

> Any reason this isn't enabled by default? Right now you need to recompile
> your kernel with "options BRIDGE_IPF" if you want a firewall on the bridge.
> This is annoying.
>
> There is already a dynamic switch behind it anyway: you need to pass "ipf"
> to brconfig in order for filtering to actually be enabled, so having the
> extra "options BRIDGE_IPF" serves little purpose.
>
> I want to enable BRIDGE_IPF by default, by removing the option and the
> #ifdefs. That is, by making the code part of bridge(4) by default.
>
> Note that BRIDGE_IPF is not related to IPF. It uses the pfil interface, so
> it works with NPF.

This makes sense to me.

The only reason not to would be if it created a lot more code and made
the kernel bigger, or some worry about a few instructions per packet in
bridging.  Surely it's just a tiny overhead, and it doesn't really make
sense for bridges to be special vs other interfaces.  (If someone wants
to compile out PFIL_HOOKS, this should go too.)

So my only request is to do a test compile with PFIL off.

Follow-Ups:
- Re: enabling bridge_ipf
  - From: Maxime Villard

References:
- enabling bridge_ipf
  - From: Maxime Villard

Prev by Date: enabling bridge_ipf
Next by Date: Applying the inet6 ND state engine to inet4
Previous by Thread: enabling bridge_ipf
Next by Thread: Re: enabling bridge_ipf
Indexes:

Home | Main Index | Thread Index | Old Index