From nobody Sun Oct 31 12:48:48 2021
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 181A718236B6
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Sun, 31 Oct 2021 12:48:59 +0000 (UTC)
	(envelope-from tech-lists@zyxst.net)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Hhwvs71nRz3mn5
	for <freebsd-pf@freebsd.org>; Sun, 31 Oct 2021 12:48:57 +0000 (UTC)
	(envelope-from tech-lists@zyxst.net)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id 7C44F32009BC
	for <freebsd-pf@freebsd.org>; Sun, 31 Oct 2021 08:48:51 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Sun, 31 Oct 2021 08:48:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h=
	date:from:to:subject:message-id:mime-version:content-type; s=
	fm1; bh=eUC0OvldOYE9g3I4/vGy2/S4cpulvtYSA74EtlTHK8w=; b=Bbr3VNb+
	Hc0M/Ysa6KiM5Op4a+nOhzNNN70Sjoptq4SRBH4qqWndjIEengoBSpHR6H1AM8Id
	U2sY3TFQQIZES12ozhHJsZySSctrCRsl87BHZ1jXVIWfDQYsn5dKEzIuWtRhEbi0
	BhcpM/PVrPiHTLqXZtvwmBHYiFCIw/wKdOPcwAhEtTz/U12as39wWF7A0vtzrpwm
	9csYBeXiLqTNe4WTDx4Qf7PzAN1ulZlxHP/DjRe8EFebHGiftgAPDv4Tfzij5lxG
	baz6vyJQHVS3lJX8dJ9rdc4IY1Nj3JaRhVveg16PmJhcDs2nrc2eE139aRwRXc7x
	clv+Q1Pn8UWBUg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:message-id
	:mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; bh=eUC0OvldOYE9g3I4/vGy2/S4cpulv
	tYSA74EtlTHK8w=; b=aGkgKLgZCvgoNyOIpvjSVyE0julQuUtHxtaPSJez8Oy6I
	+3ZMnPLn7OZOT5CyI46KawxO0Jrqe//Xioodj4Pz74+0IOLlpvYiFQAaSEGiP+eN
	p8a9Wih0FEuue4Vhti2dZo6Vo1lDYMsSgwAs+6ae6zemWtDh2cNPWFW/wSKS8ycR
	LnTDopH0/hot2g/GQBPwW3yBXiC9DqavW/tq71YQlafoWUiEce0RZNB2ZhGPWJQd
	ukZ2kHm5aZKyfUYTBsV0maMmjg9lmd+QSzQZmb8e0rxmv/N0zbX++WhZbKCsG0Th
	bJDr/vqIcerd3yWnBXvyJsBrhTrxlj1DfLgHgRvJA==
X-ME-Sender: <xms:spB-YdAOcGGNGlKugxm2NTAKMraXWRRzFF5PWSezPz8WzOn8bR1mtg>
    <xme:spB-YbhKu3kjxdc6SuP79xqPk-S6d73kroNdcC1TndN3Tc74plxIRV1SzddtruKol
    sjpIFYyZ2MdGtCaLw>
X-ME-Received: <xmr:spB-YYl44IJGGCug2rzgE3wBBbXGcQLF2MqaP0vDU09VpHNUsoZ8VWYyPVkdoBKSa-cDSEKU58Of>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvdehtddggedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd
    dtvdenucfhrhhomhepthgvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseiihiig
    shhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevgffhffdtfeekleelhedtjeelvdfhvd
    egieejveffgfduvdfhteegjeeujeeuieenucevlhhushhtvghrufhiiigvpedtnecurfgr
    rhgrmhepmhgrihhlfhhrohhmpehtvggthhdqlhhishhtshesiiihgihsthdrnhgvth
X-ME-Proxy: <xmx:spB-YXzUDZeNCfhHWVqBxkE7yUXf-flcTtwhWss0wcqsmkfwaj2nfA>
    <xmx:spB-YSSlXmSOzrDp301Zc1P1zmVMzIur17V5Xz8xyTni_SVMIRBPxQ>
    <xmx:spB-YaZEwbq-d7o8vGR_ENYBS4hhVfDSzizyWZajhwpfL67MdtvDqg>
    <xmx:s5B-YZeDBQktsGXbvB8e6LnGfmdoMRDNTjaXWmXLar5nOSN2ua8Y6Q>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-pf@freebsd.org>; Sun, 31 Oct 2021 08:48:50 -0400 (EDT)
Date: Sun, 31 Oct 2021 12:48:48 +0000
From: tech-lists <tech-lists@zyxst.net>
To: freebsd-pf@freebsd.org
Subject: pf on a bhyve host
Message-ID: <YX6QsJmdJt4xeDPC@ceres.zyxst.net>
Mail-Followup-To: freebsd-pf@freebsd.org
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="y7usnuzPuAYJm2Y4"
Content-Disposition: inline
X-Rspamd-Queue-Id: 4Hhwvs71nRz3mn5
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=zyxst.net header.s=fm1 header.b=Bbr3VNb+;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.b=aGkgKLgZ;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.19) smtp.mailfrom=tech-lists@zyxst.net
X-Spamd-Result: default: False [-4.50 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.19:from];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
	 RCPT_COUNT_ONE(0.00)[1];
	 DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	 RCVD_COUNT_THREE(0.00)[4];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 NEURAL_SPAM_SHORT(1.00)[1.000];
	 DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+];
	 DMARC_NA(0.00)[zyxst.net];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 SIGNED_PGP(-2.00)[];
	 R_SPF_NA(0.00)[no SPF record];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US];
	 RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]
X-ThisMailContainsUnwantedMimeParts: N


--y7usnuzPuAYJm2Y4
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello pf@

(the context is a 12.2-p10 host and various bhyve guests)

What's the best way to have pf protect the host (on igb0) but=20
leave the traffic for the tap devices unexamined? It seems, for example

set skip on $tap_ifs

where $tap_ifs is a macro containing four tap devices, doesn't do what's=20
needed. In this context, igb0 is bridged with the tap devices. Traffic=20
still gets hit by pf block rules on the host despite being for the vm
behind the tap device(s).

Is a different approach needed? Do I need to use vlans? The bhyhe guests
need to have real routable IPs and both the host and the guests are on
the same subnet. The desired outcome was previously achieved with a
hardware firewall in front of the bhyve host. I'm not sure if this is
possible with freebsd's pf. Maybe it is with openbsd's? I understand
that we have pci passthru with bhyve+openbsd guests now.

thanks,
--=20
J.

--y7usnuzPuAYJm2Y4
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmF+kKgACgkQs8o7QhFz
NAWBMw//ZTuU+lvbAhZF5qYz92x2iE8EPsST08c0HwiKOlyp5sHWZ7lCiUs5ZoL8
2mc3BRFuMGaY6ZONLp+k1SETfEjSDCqHen3GftlGmaUX81+29z0Eof3HgBITc0+b
NRSJunvp+fXRRmIk61s+XgZ8lkbrw0spVvzdvNFjg65JPkBYzrC8aYyirHWyreEI
1kdkd5RkCafA4p94Pyre9kuzcD1fLeYl6s3zauwbJkChG7Ui8pOssMX7YJzk153N
UsQe/zR4TesmbKwYKOnH88/mt32aTPFu+ko5GHppW0KI0MkgCuH0PvYAHJ7jU3Ro
YpBsCnwuYiipjbh2RzCwRqBh80idkh1VKWgsYT7rDKgsiAoQBXOpmY79SNptOtY+
nc7B2s3IIy5oxqsVFgQ4a0/rEoiUqi2g/sCLq/tOJ5mcJBI8lrABBK3uz7CYplhB
B0XuNmyhmR5Q2hPAUqcvpEwdWUK2AubLygv6YRitPorRKeyoGbZTVr060sZYt03A
NMu1YSFNVbEWKTJtAsx0frdAl7hHrwQ7gWe+T+VkI/AhUh9s8j0YGvJhUwBy61CW
poUQWIpHL73oCbxF5x/Oj51tE07r/dvldmLy0OgemMceXi+qlzLtScfYdRtlJDRJ
A745sdqq1W/INFiBJRJOGE+7b+0t6BrfnrViPI9aWkSyKcoCuAU=
=Cb3a
-----END PGP SIGNATURE-----

--y7usnuzPuAYJm2Y4--