The following examples illustrate some curiosities I've found when filtering traffic between bridge members:
This is the bridge setup:
Now here are my questions:
1. Why is $jaildst_if not filtered? Given that $jailsrc_if is filtered, this seems to be some strangely inconsistent behavior.
2. Why is $jailsrc_if filtered? Given that $jaildst_if is not filtered, this also seems to be strangely inconsistent.
Either way, I would be really grateful to learn what's going on here.
Code:
# /etc/pf.conf
jailsrc = "10.0.0.2"
jaildst = "10.0.0.3"
jailsrc_if = "epair0a"
jaildst_if = "epair1a"
# ***** SCENARIO 1 - Block by Default *****
block all
# Both rules are required to pass traffic from jailsrc to jaildst
pass on bridge0 from $jailsrc to $jaildst
pass on $jailsrc_if from $jailsrc to $jaildst
# Interestingly, it doesn't matter what we do on the destination jails interface
block quick on $jaildst_if from $jailsrc to $jaildst
# ***** SCENARIO 2 - Pass by Default *****
pass all
# As expected, each single one of the following will block the traffic
block on bridge0 from $jailsrc to $jaildst
block on $jailsrc_if from $jailsrc to $jaildst
# But not this one, the interface for the destination jail is ignored
block quick on $jaildst_if from $jailsrc to $jaildst
Bash:
ifconfig bridge create name bridge0
ifconfig br0 ether 0a:00:0a:00:00:01
ifconfig br0 inet 10.0.0.1/24
ifconfig br0 addm epair0a
ifconfig br0 addm epair1a
Now here are my questions:
1. Why is $jaildst_if not filtered? Given that $jailsrc_if is filtered, this seems to be some strangely inconsistent behavior.
2. Why is $jailsrc_if filtered? Given that $jaildst_if is not filtered, this also seems to be strangely inconsistent.
Either way, I would be really grateful to learn what's going on here.