On Sat, Nov 21, 2015 at 04:22:51PM +0100, Momtchil Momtchev wrote:
> Hello,
>
> Sorry for what may appear to be a strange question, but shouldn't there
> be a check against IFBIF_BLOCKNONIP in bridge_output() in
> sys/net/if_bridge.c?
>
Why? bridge_output() is used for packets that are sent from local
interfaces. I think you should be aware if you're running any non-IP
service on your OpenBSD machine.
I think your change would also break bridge_send_icmp_err() with
IFBIF_BLOCKNONIP, which is used by bridge_ipsec() and
bridge_fragment(). blocknonip and tunnels are not uncommon.
btw., what OpenBSD version is this diff for? This is not -current.
Reyk
> Something like this :
>
> --- if_bridge.c.orig Tue Jul 21 00:54:29 2015
> +++ if_bridge.c Sat Nov 21 16:05:12 2015
> @@ -1051,6 +1051,10 @@
> (m->m_flags & (M_BCAST | M_MCAST)) == 0)
> continue;
>
> + if (p->bif_flags & IFBIF_BLOCKNONIP &&
> bridge_blocknonip(eh, m)) {
> + continue;
> + }
> +
> if (IF_QFULL(&dst_if->if_snd)) {
> IF_DROP(&dst_if->if_snd);
> sc->sc_if.if_oerrors++;
>
--
