summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2007-10-03 20:15:07 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2007-10-03 20:15:07 +0000
commit631319f76280aee009fa12421aaf29432592924a (patch)
tree1d428ab15cdf81954b62f98d35f9a8f8748f28f6
parent44ab1b2e4070db8263b65205a6e279dcde28430c (diff)
Clarifications about the interaction of bridge and PF.
From Geoff Steckel with a few changes "please commit it (if no one objects)" jmc, "yes" henning
-rw-r--r--share/man/man4/bridge.431
1 files changed, 14 insertions, 17 deletions
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
index 84c8d849b8a..58a190f6513 100644
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bridge.4,v 1.65 2007/05/31 19:19:49 jmc Exp $
+.\" $OpenBSD: bridge.4,v 1.66 2007/10/03 20:15:06 sthen Exp $
.\"
.\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
.\" All rights reserved.
@@ -24,7 +24,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: October 3 2007 $
.Dt BRIDGE 4
.Os
.Sh NAME
@@ -96,6 +96,9 @@ or
.Xr ip6 4
datagram; if so, the datagram is run through the
pf interface so that it can be filtered.
+See the
+.Sx NOTES
+section for details.
.Sh IOCTLS
A
.Nm
@@ -556,21 +559,15 @@ No such member interface in the bridge.
.Sh NOTES
Bridged packets pass through
.Xr pf 4
-twice.
-They can be filtered on any interface, in both directions.
-For stateful filtering, filtering on only one interface
-and passing all traffic on the other interfaces
-(using
-.Ic no state
-or
-.Ic set skip )
-is recommended.
-A state entry only permits outgoing packets from initial source to
-destination and incoming packets from initial destination to source.
-Since bridged packets pass through the filter twice with the source
-and destination addresses reversed between interfaces, two state
-entries (one for each direction) are required when all interfaces
-are filtered statefully.
+filters once as input on the receiving interface and once
+as output on all interfaces on which they are forwarded.
+In order to pass through the bridge packets must pass
+any
+.Ar in
+rules on the input and any
+.Ar out
+rules on the output interface.
+Packets may be blocked either entering or leaving the bridge.
.Pp
Return packets generated by pf itself are not routed using the
kernel routing table.