Hey Everyone,
I went to add a few bridge interfaces to a production firewall today and
went to set packet filter options for the interfaces as described in the
IF_BRIDGE(4) man page section for 12.2-RELEASE-p7. However, all the pfil
net.link.bridge sysctl values are absent on both my firewall hosts ...
root@fw1:~ # sysctl -a | grep bridge
dev.isab.0.%desc: PCI-ISA bridge
dev.ahciem.0.%desc: AHCI enclosure management bridge
dev.hostb.1.%desc: Host to PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.pcib.7.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.netmap.bridge_batch: 1024
Not sure whats going on here as the man page states there should be
options here to control this ...
PACKET FILTERING
Packet filtering can be used with any firewall package that hooks
in via
the pfil(9) framework. When filtering is enabled, bridged packets
will
pass through the filter inbound on the originating interface, on the
bridge interface and outbound on the appropriate interfaces. Either
stage can be disabled. The filtering behaviour can be controlled
using
sysctl(8):
...
net.link.bridge.pfil_member Set to 1 to enable filtering on the
incoming and outgoing member
interfaces,
set to 0 to disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the
bridge interface, set to 0 to disable
it.
...
I also see recent mailing list posts that make mention of using these
options on 12.2-RELEASE, so I don't think it's normal.
Any ideas or suggestions?
Thanks,
-Matthew
