tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: enabling bridge_ipf



Maxime Villard <max%m00nbsd.net@localhost> writes:

> Any reason this isn't enabled by default? Right now you need to recompile
> your kernel with "options BRIDGE_IPF" if you want a firewall on the bridge.
> This is annoying.
>
> There is already a dynamic switch behind it anyway: you need to pass "ipf"
> to brconfig in order for filtering to actually be enabled, so having the
> extra "options BRIDGE_IPF" serves little purpose.
>
> I want to enable BRIDGE_IPF by default, by removing the option and the
> #ifdefs. That is, by making the code part of bridge(4) by default.
>
> Note that BRIDGE_IPF is not related to IPF. It uses the pfil interface, so
> it works with NPF.

This makes sense to me.

The only reason not to would be if it created a lot more code and made
the kernel bigger, or some worry about a few instructions per packet in
bridging.  Surely it's just a tiny overhead, and it doesn't really make
sense for bridges to be special vs other interfaces.  (If someone wants
to compile out PFIL_HOOKS, this should go too.)

So my only request is to do a test compile with PFIL off.



Home | Main Index | Thread Index | Old Index