Page MenuHomeFreeBSD
Differential D37193

pf: bridge-to
ClosedPublic
Actions

Authored by kp on Oct 28 2022, 10:05 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 19, 7:12 AM
Unknown Object (File)
Mon, Nov 18, 5:18 AM
Unknown Object (File)
Sat, Nov 16, 2:21 PM
Unknown Object (File)
Sat, Nov 16, 1:50 PM
Unknown Object (File)
Sat, Nov 16, 1:28 PM
Unknown Object (File)
Sat, Nov 16, 11:42 AM
Unknown Object (File)
Fri, Nov 15, 7:57 PM
Unknown Object (File)
Fri, Nov 15, 7:08 PM
View All 60 Files
Subscribers
ae
farrokhi
glebius
imp
melifaro
zlei

Details

Reviewers
None
Group Reviewers
network
pfsense
Commits
rG8a8af9424008: pf: bridge-to
Summary

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to function with pfSense as a gateway,
rather than the AT&T provided hardware.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Oct 28 2022, 10:05 AM
Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptOct 28 2022, 10:05 AM
kp requested review of this revision.Oct 28 2022, 10:05 AM
Harbormaster completed remote builds in B48074: Diff 112326.Oct 28 2022, 10:05 AM
kp added a child revision: D37194: pf tests: bridge-to test case.Oct 28 2022, 10:05 AM
zlei added a subscriber: zlei.Nov 1 2022, 7:33 AM
zlei added inline comments.
sys/netpfil/pf/pf.c
3844

Since bridge-to is a L2 action, the kif->pfik_ifp should be check whether it is capable to transmit l2 packets or not.

I think maybe we can flag it ( capable to transmit L2 packets ) within pfi_attach_ifnet() , something like this:

if (ifp->if_type == IFT_ETHER ... IFT_L2VLAN ... IFT_BRIDGE)
    kif->some_flag |= L2_CAPABLE;

See also if_setlladdr() in sys/net/if.c

kp updated this revision to Diff 112456.Nov 1 2022, 11:37 AM

Ensure that the output interface understands Ethernet

Harbormaster completed remote builds in B48109: Diff 112456.Nov 1 2022, 11:37 AM
kp marked an inline comment as done.Nov 1 2022, 11:38 AM
kp added inline comments.
sys/netpfil/pf/pf.c
3844

Good point, although I think it's easier to do the check at output time, rather than adding an intermediate flag.

We'd still have to check here, so we may as well look directly at the ifp->if_type here.

zlei added inline comments.Nov 1 2022, 3:41 PM
lib/libpfctl/libpfctl.h
60

Is this introduced accidentally ?

kp marked 2 inline comments as done.Nov 1 2022, 3:59 PM
kp added inline comments.
lib/libpfctl/libpfctl.h
60

That was introduced in https://cgit.freebsd.org/src/commit/?id=444a77ca85c78 recently. It's not part of this change, but it shows up now because I've rebased on top of a more recent head when I updated this patch.

zlei added a comment.Nov 1 2022, 4:11 PM

Looks good to me, although have not tested this new feature yet.

lib/libpfctl/libpfctl.h
60

Sorry about the noises. My local src repo is out of sync.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 2 2022, 2:51 PM
Closed by commit rG8a8af9424008: pf: bridge-to (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp marked an inline comment as done.
kp added a commit: rG8a8af9424008: pf: bridge-to.

Revision Contents
Changeset List

PathSize
lib/
libpfctl/
1 line
5 lines
sbin/
pfctl/
48 lines
2 lines
share/
man/
man5/
10 lines
sys/
net/
2 lines
netpfil/
pf/
31 lines
12 lines
3 lines

Diff 112500

View Options

lib/libpfctl/libpfctl.h

Loading...
View Options

lib/libpfctl/libpfctl.c

Loading...
View Options

sbin/pfctl/parse.y

Loading...
View Options

sbin/pfctl/pfctl_parser.c

Loading...
View Options

share/man/man5/pf.conf.5

Loading...
View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_ioctl.c

Loading...
View Options

sys/netpfil/pf/pf_nv.c

Loading...