pf: bridge-to
ClosedPublic
Actions

Authored by kp on Oct 28 2022, 10:05 AM.

Details

Reviewers

None

Group Reviewers

network
pfsense

Commits

rG8a8af9424008: pf: bridge-to

Summary

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to function with pfSense as a gateway,
rather than the AT&T provided hardware.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Oct 28 2022, 10:05 AM

Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptOct 28 2022, 10:05 AM

kp requested review of this revision.Oct 28 2022, 10:05 AM

Harbormaster completed remote builds in B48074: Diff 112326.Oct 28 2022, 10:05 AM

kp added a child revision: D37194: pf tests: bridge-to test case.Oct 28 2022, 10:05 AM

zlei added a subscriber: zlei.Nov 1 2022, 7:33 AM

zlei added inline comments.

sys/netpfil/pf/pf.c
3844	Since `bridge-to` is a L2 action, the `kif->pfik_ifp` should be check whether it is capable to transmit l2 packets or not. I think maybe we can flag it ( capable to transmit L2 packets ) within `pfi_attach_ifnet()` , something like this: if (ifp->if_type == IFT_ETHER ... IFT_L2VLAN ... IFT_BRIDGE) kif->some_flag \|= L2_CAPABLE; See also `if_setlladdr()` in `sys/net/if.c`

Ensure that the output interface understands Ethernet

Harbormaster completed remote builds in B48109: Diff 112456.Nov 1 2022, 11:37 AM

kp marked an inline comment as done.Nov 1 2022, 11:38 AM

kp added inline comments.

sys/netpfil/pf/pf.c
3844	Good point, although I think it's easier to do the check at output time, rather than adding an intermediate flag. We'd still have to check here, so we may as well look directly at the ifp->if_type here.

zlei added inline comments.Nov 1 2022, 3:41 PM

lib/libpfctl/libpfctl.h
60	Is this introduced accidentally ?

kp marked 2 inline comments as done.Nov 1 2022, 3:59 PM

kp added inline comments.

lib/libpfctl/libpfctl.h
60	That was introduced in https://cgit.freebsd.org/src/commit/?id=444a77ca85c78 recently. It's not part of this change, but it shows up now because I've rebased on top of a more recent head when I updated this patch.