pf on a bhyve host
- Reply: kaycee gb : "Re: pf on a bhyve host"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 31 Oct 2021 12:48:48 UTC
Hello pf@ (the context is a 12.2-p10 host and various bhyve guests) What's the best way to have pf protect the host (on igb0) but leave the traffic for the tap devices unexamined? It seems, for example set skip on $tap_ifs where $tap_ifs is a macro containing four tap devices, doesn't do what's needed. In this context, igb0 is bridged with the tap devices. Traffic still gets hit by pf block rules on the host despite being for the vm behind the tap device(s). Is a different approach needed? Do I need to use vlans? The bhyhe guests need to have real routable IPs and both the host and the guests are on the same subnet. The desired outcome was previously achieved with a hardware firewall in front of the bhyve host. I'm not sure if this is possible with freebsd's pf. Maybe it is with openbsd's? I understand that we have pci passthru with bhyve+openbsd guests now. thanks, -- J.