hi all,
i sent the following question to misc@ on march 29th but received no
response. i hope you don't mind me retrying on tech@.
while playing around with pf, i noticed that some connections that i
thought should be blocked, were in fact not. here is my fairly standard
bridge setup between a wlan interface and a wired ethernet.
# cat /etc/hostname.em0
group lan
up
# cat /etc/hostname.athn0
mediaopt hostap
nwid xxx wpakey abcd1234
group lan
up
# cat /etc/hostname.vether0
group lan
inet 192.168.22.145/28
# cat /etc/hostname.bridge0
add em0 add athn0 add vether0
blocknonip athn0
up
i then set up pf rules that should let the (w)lan interfaces talk to
the world.
# cat /etc/pf.conf
set skip on lo
block return
pass out # ingress filter
pass in on lan from lan:network to any
now this all works as intended. but, when i remove athn0 from the lan
group, i would expect the above ruleset to block any incoming
connections from the wlan.
# ifconfig athn0 -group lan
and indeed, i could not ping a wired host from the wlan. however, i
could still access the router (192.168.22.145) itself from the wireless.
as far as i can tell, this is due to the following code in if_bridge.c,
bridge_process() -- comments by me:
if (bridge_ourether(bif0->ifp, eh->ether_dhost)) {
/* addressed to the iface it came in on */
bif = bif0;
} else {
SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) {
if (bif->ifp == ifp)
continue;
if (bridge_ourether(bif->ifp, eh->ether_dhost))
/* addressed to some other bridge member */
break;
}
}
if (bif != NULL) {
/* ... */
if (bridge_filterrule(&bif0->bif_brlin, eh, m) ==
BRL_ACTION_BLOCK) {
goto bad;
}
/* ... */
}
a packet that comes in on a member of a bridge and is addressed to _any_
bridge member interface, is processed as input to (only) the destination
interface. if that destination interface differs from the one that the
packet actually came in on, pf rules for the actual input interface are
not evaluated.
this seems to contradict the following statement in the NOTES section of
bridge(4) -- in any case, it certainly contradicted my intuition:
Bridged packets pass through pf(4) filters once as input on the receiving
interface and once as output on all interfaces on which they are
forwarded. In order to pass through the bridge packets must pass any in
rules on the input and any out rules on the output interface. Packets
may be blocked either entering or leaving the bridge.
now, to be clear, i don't mind that the packet passes through 'in' rules for
vether0 in my example, but i wonder if it should not also pass through
the 'in' rules for 'athn0'.
i would appreciate enlightenment on this. note that (contrary to misc) i
am subscribed to tech@, so no cc needed.
thanks,
pesco
PS: at the time, i was using OpenBSD 6.6, but the code in question
appears unchanged in current.
