PF + if_bridge + NAT anomaly
Jay L. T. Cornwall
jay at jcornwall.me.uk
Fri Apr 18 20:23:27 UTC 2008
Jay L. T. Cornwall wrote:
> Even without 'block out all', the simple presence of:
> pass out quick on $bridge_if
>
> Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
> are passing to the WAN (and being filtered upstream). What is causing
> NAT to stop functioning by the presence of a loose rule? Does the
> default 'pass all' have additional flags necessary for NAT to function
> correctly?
OK, I've solved this. Kind of.
By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default
1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on
bridge0 is still required even though if_bridge(4) would suggest otherwise:
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.
OK, whatever. :)
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
More information about the freebsd-pf
mailing list