Re: pf for netgraph jails?

Reply: Patrick M. Hausen: "Re: pf for netgraph jails?"
Reply: Aleksandr Fedorov : "Re: pf for netgraph jails?"
In reply to: Patrick M. Hausen: "Re: pf for netgraph jails?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Palle Girgensohn <girgen_at_FreeBSD.org>
Date: Thu, 31 Oct 2024 15:32:37 UTC


> 16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen <hausen@punkt.de>:
> 
> Hi!
> 
>> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <girgen@FreeBSD.org>:
>> [...]
>> but nothing happens, everything is passed directly into the jail:
>> 
>> nc -l 4444   (inside the jail)
>> 
>> and I can just telnet 1.2.3.4 4444
> 
> Try:
> 
> sysctl net.link.bridge.pfil_member=0
> sysctl net.link.bridge.pfil_bridge=1
> 
> Although I do not know if this ablies to netgraph or to if_bridge(4) only.
> 
> But obviously your rules are not applied to the bridge interface. The default
> of the tunables above is the other way round - don't filter on bridge interfaces.
> 
> HTH,
> Patrick

Hallo Patrick,

Thanks for the reply. It seems that these MIBs are related to if_bridge, not ng_bridge? I didn't have them at first, men after kldload if_bridge they appeared. They make no difference, though, so perhaps they do not relate to netgraph bridges?

Any idea what tuneables would do the job?

Thanks,

Palle