diff options
author | Stuart Henderson <sthen@cvs.openbsd.org> | 2007-10-03 20:15:07 +0000 |
---|---|---|
committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2007-10-03 20:15:07 +0000 |
commit | 631319f76280aee009fa12421aaf29432592924a (patch) | |
tree | 1d428ab15cdf81954b62f98d35f9a8f8748f28f6 | |
parent | 44ab1b2e4070db8263b65205a6e279dcde28430c (diff) |
Clarifications about the interaction of bridge and PF.
From Geoff Steckel with a few changes
"please commit it (if no one objects)" jmc, "yes" henning
-rw-r--r-- | share/man/man4/bridge.4 | 31 |
1 files changed, 14 insertions, 17 deletions
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 index 84c8d849b8a..58a190f6513 100644 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bridge.4,v 1.65 2007/05/31 19:19:49 jmc Exp $ +.\" $OpenBSD: bridge.4,v 1.66 2007/10/03 20:15:06 sthen Exp $ .\" .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -24,7 +24,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: October 3 2007 $ .Dt BRIDGE 4 .Os .Sh NAME @@ -96,6 +96,9 @@ or .Xr ip6 4 datagram; if so, the datagram is run through the pf interface so that it can be filtered. +See the +.Sx NOTES +section for details. .Sh IOCTLS A .Nm @@ -556,21 +559,15 @@ No such member interface in the bridge. .Sh NOTES Bridged packets pass through .Xr pf 4 -twice. -They can be filtered on any interface, in both directions. -For stateful filtering, filtering on only one interface -and passing all traffic on the other interfaces -(using -.Ic no state -or -.Ic set skip ) -is recommended. -A state entry only permits outgoing packets from initial source to -destination and incoming packets from initial destination to source. -Since bridged packets pass through the filter twice with the source -and destination addresses reversed between interfaces, two state -entries (one for each direction) are required when all interfaces -are filtered statefully. +filters once as input on the receiving interface and once +as output on all interfaces on which they are forwarded. +In order to pass through the bridge packets must pass +any +.Ar in +rules on the input and any +.Ar out +rules on the output interface. +Packets may be blocked either entering or leaving the bridge. .Pp Return packets generated by pf itself are not routed using the kernel routing table. |