Re: pf on a bhyve host

Hi, 

Le Sun, 31 Oct 2021 12:48:48 +0000,
tech-lists <tech-lists@zyxst.net> a écrit :

> Hello pf@
> 
> (the context is a 12.2-p10 host and various bhyve guests)
> 
> What's the best way to have pf protect the host (on igb0) but 
> leave the traffic for the tap devices unexamined? It seems, for example
> 
> set skip on $tap_ifs
> 
> where $tap_ifs is a macro containing four tap devices, doesn't do what's 
> needed. 
Do the "set skip" option expands correctly (one tap if per line) ? 

> In this context, igb0 is bridged with the tap devices. Traffic 
> still gets hit by pf block rules on the host despite being for the vm
> behind the tap device(s).
Do you filter on your bridge if or igb0 ? 
> 
> Is a different approach needed? 
Based on your context, I would do same as you. 

Do you have a catch (block) all rule at then end ?
Alternatively, I would try to have rules specifically for each interfaces you
have except for TAP IFs (and probably bridges). Some sort of "set skip"
emulation.
As for the rest, I can't answer.
 
> Do I need to use vlans? The bhyhe guests
> need to have real routable IPs and both the host and the guests are on
> the same subnet. The desired outcome was previously achieved with a
> hardware firewall in front of the bhyve host. I'm not sure if this is
> possible with freebsd's pf. Maybe it is with openbsd's? I understand
> that we have pci passthru with bhyve+openbsd guests now.
> 
> thanks,

K.