Re: git: 22893e584032 - main - bridge: default to not filtering L3

On Mon, Oct 24, 2022 at 08:53:13AM +0000, Kristof Provost wrote:
> The branch main has been updated by kp:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=22893e584032f22f24cae8e8b1b77ea70e83bd69
> 
> commit 22893e584032f22f24cae8e8b1b77ea70e83bd69
> Author:     Kristof Provost <kp@FreeBSD.org>
> AuthorDate: 2022-10-14 05:57:33 +0000
> Commit:     Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2022-10-24 06:52:21 +0000
> 
>     bridge: default to not filtering L3
>     
>     Change the default for net.link.bridge.pfil_member and
>     net.link.bridge.pfil_bridge to zero.
>     
>     That is, default to not calling layer 3 firewalls on the bridge or its
>     member interfaces.
>     
>     With either of these enabled the bridge will, during L2 processing,
>     remove the Ethernet header from packets, feed them to L3 firewalls,
>     re-add the Ethernet header and send them out.
>     
>     Not only does this interact very poorly with firewalls which defer
>     packets, or reassemble and refragment IPv6, it also causes considerable
>     confusion for users, because the firewall gets called in unexpected
>     ways.
>     
>     For example, a bridge which contains a bhyve tap and the host's LAN
>     interface. We'd expect traffic between the LAN and bhyve VM to pass, no
>     matter what (layer 3) firewall rules are set on the host. That's not the
>     case as long as pfil_bridge or pfil_member are set.
>     
>     Reviewed by:    Zhenlei Huang
>     MFC:            never
>     Differential Revision:  https://reviews.freebsd.org/D37009

Hey Kristof,

Would this be a good candidate for RELNOTES?

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc