PF + if_bridge + NAT anomaly
Max Laier
max at love2party.net
Sun Apr 20 19:35:36 UTC 2008
On Friday 18 April 2008 22:23:28 Jay L. T. Cornwall wrote:
> Jay L. T. Cornwall wrote:
> > Even without 'block out all', the simple presence of:
> > pass out quick on $bridge_if
> >
> > Causes NAT to stop. tcpdump on vr1 shows that packets with private
> > IPs are passing to the WAN (and being filtered upstream). What is
> > causing NAT to stop functioning by the presence of a loose rule? Does
> > the default 'pass all' have additional flags necessary for NAT to
> > function correctly?
>
> OK, I've solved this. Kind of.
>
> By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default
> 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on
> bridge0 is still required even though if_bridge(4) would suggest
> otherwise:
>
> net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
> interface, set to 0 to disable it.
>
> OK, whatever. :)
fintering on a bridge is a bit tricky.
I think what happend in your scenario is that a state was created for the
flow on *IN* bridge0 which would then prevent NAT from happening. Would
you be up to share your complete working setup for future reference?
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list