document that is is unsupported to use return-rst/icmp or synproxy

on bridging firewalls

henning@ ok, spelling fixes from jmc@

2 files changed, 24 insertions, 2 deletions

diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
index 4480515699a..08c65045a39 100644
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bridge.4,v 1.50 2003/06/06 10:29:41 jmc Exp $
+.\"	$OpenBSD: bridge.4,v 1.51 2003/06/11 17:03:09 pb Exp $
 .\"
 .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
 .\" All rights reserved.
@@ -584,6 +584,16 @@ and destination addresses reversed between interfaces, two state
 entries (one for each direction) are required when all interfaces
 are filtered statefully.
 .Pp
+It is unsupported to use filter rules which would generate packets.
+This applies to rules with
+.Ar return ,
+.Ar return-rst ,
+.Ar return-icmp ,
+.Ar return-icmp6
+or
+.Ar synproxy
+defined.
+.Pp
 If an IP packet is too large for the outgoing interface the bridge
 will perform IP fragmentation.
 This can happen when bridge members
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index f0fb606f1c1..7841b2c8898 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.255 2003/06/10 16:59:49 deraadt Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.256 2003/06/11 17:03:09 pb Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1030,6 +1030,11 @@ This causes a TCP RST to be returned for
 .Xr tcp 4
 packets and an ICMP UNREACHABLE for UDP and other packets.
 .El
+.Pp
+Options returning packets have no effect if
+.Xr pf 4
+operates on a
+.Xr bridge 4 .
 .It Ar pass
 The packet is passed.
 .El
@@ -1670,6 +1675,13 @@ includes
 and
 .Ar keep state .
 .Pp
+Rules with
+.Ar synproxy
+will not work if
+.Xr pf 4
+operates on a
+.Xr bridge 4 .
+.Pp
 Example:
 .Bd -literal -offset indent
 pass in proto tcp from any to any port www flags S/SA synproxy state