tech-kern: Re: brconfig and "ipf" to use "pfil" also

Subject: Re: brconfig and "ipf" to use "pfil" also
To: None <tech-kern@netbsd.org>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: tech-kern
Date: 01/12/2006 02:11:10

On Wed, Jan 11, 2006 at 02:34:34PM -0800, Jeremy C. Reed wrote:
> Please carbon copy me on replies.
> 
> Peter Postma and I are working on two different documentations briefly 
> documenting bridging with PF.[1]
> 
> The brconfig command for enabling support for PF is called "ipf". I was 
> thinking it could be updated to allow "pf" too.
> 
> Peter said I could post the following to the list:
> 
> > I think that the argument should be "pfil" and "-pfil" because what really
> > happens is enabling and disabling pfil(9) on the bridge.
> > 
> > The description will then look like:
> > 
> >   pfil		Enable packet filtering with pfil(9) on the bridge.
> > 		The current implementation passes all ARP and RARP packets
> > 		through the bridge while filtering IP and ICMP packets through
> > 		the configured packet filter.

I would say instead:

through the bridge while filtering IP and IPv6 packets through
the configured packet filter, such as pf(4) or ipf(4). Other packet types
are blocked.

(IP implies ICMP, but the documentation fails to mention IPv6 and the fact
that other packet type are blocked.)

> > We should also rename the option "BRIDGE_IPF" to "BRIDGE_PFIL" or
> > "PFIL_BRIDGE". Or we might even get rid of this option completely (default
> > is disabled).

I would just remove the option and always compile the code in (when
PFIL_HOOKS is defined). It is lame to force users to recompile the kernel
to get an useful feature which adds very small amount of code and does not
do anything anyway unless it is explicitely enabled by brconfig.

> Also, related change might be renaming IFBF_FILT_USEIPF, but this seems 
> okay as it is. My main concern was in the man page.
> 
> And now I see GENERIC kernel configuration comment could be improved and 
> brconfig has at least two possible outputs showing "ipfilter" (for status 
> or -a output). Maybe these could be more generic (not ipfilter specific).
> 
> Would adding "pfil" as a command option for brconfig be okay?

OK for me. I wanted to propose it myself after it was confirmed that pf on
bridge works, but you were faster :-).

> [1] If you'd be interested in reviewing the docs, let me know.

I use PF on bridge in OpenBSD, so I can review your docs.

Bye	Pavel