From nobody@FreeBSD.org  Fri Feb 25 19:44:50 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9534E16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Feb 2005 19:44:50 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 723F543D58
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Feb 2005 19:44:50 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j1PJinQK051437
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Feb 2005 19:44:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j1PJin51051436;
	Fri, 25 Feb 2005 19:44:49 GMT
	(envelope-from nobody)
Message-Id: <200502251944.j1PJin51051436@www.freebsd.org>
Date: Fri, 25 Feb 2005 19:44:49 GMT
From: Manuel Kasper <mk@neon1.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipf filtering on bridged packets doesn't work if ipfw is loaded
X-Send-Pr-Version: www-2.3

>Number:         78090
>Category:       kern
>Synopsis:       [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 25 19:50:16 GMT 2005
>Closed-Date:    
>Last-Modified:  Mon May 19 12:50:02 UTC 2008
>Originator:     Manuel Kasper
>Release:        5.3-RELEASE
>Organization:
>Environment:
FreeBSD daemon5.neon1.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
If ipfw is loaded, then the net.link.ether.bridge.ipf option, which is designed to pass bridged packets to ipfilter, doesn't work: no ipfilter rules are applied. This happens even when net.link.ether.bridge.ipfw=0.

Closer examination of sys/net/bridge.c reveals that the whole pfil processing part of the code is skipped if IPFW_LOADED == true, in order to prevent ipfw from being called twice on a given packet (once through pfil, and once directly from bdg_forward).
>How-To-Repeat:
Configure ipfilter to block packets, set up bridging between two interfaces. Make sure ipfw is not loaded. Observe that bridged packets are actually blocked by ipfilter. Load ipfw (leave net.link.ether.bridge.ipfw alone). Observe that packets are no longer blocked.
>Fix:
Packets should be tagged somehow in bdg_forward prior to sending them to pfil_run_hooks to make ipfw ignore them when it's called from pfil.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon May 19 00:08:42 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78090 
Responsible-Changed-From-To: freebsd-pf->freebsd-net 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Mon May 19 09:12:31 UTC 2008 
Responsible-Changed-Why:  
This is not a pf problem.  Also note that the old bridge implementation, to 
which this PR relates to, is obsolete by if_bridge(4) and likely no longer 
maintained. 

Over to freebsd-net in case somebody is still interested. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78090 

From: Manuel Kasper <mk@neon1.net>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/78090: [ipf] ipf filtering on bridged packets doesn't work if ipfw is loaded
Date: Mon, 19 May 2008 14:13:43 +0200

 This PR can be closed as far as I'm concerned. It's been more than  
 three years anyway :)
 
 m0n0wall has a workaround/fix for this now (see http://svn.m0n0.ch/wall/branches/freebsd6/build/patches/kernel/kernel-6.patch) 
 , and as mlaier pointed out, BRIDGE is deprecated anyway and we should  
 switch to if_bridge.
 
 - Manuel
>Unformatted:
