On 22/11/2015 00:34, Reyk Floeter wrote:
On Sat, Nov 21, 2015 at 04:22:51PM +0100, Momtchil Momtchev wrote:Hello,Sorry for what may appear to be a strange question, but shouldn't there be a check against IFBIF_BLOCKNONIP in bridge_output() in sys/net/if_bridge.c?Why? bridge_output() is used for packets that are sent from local interfaces. I think you should be aware if you're running any non-IP service on your OpenBSD machine. I think your change would also break bridge_send_icmp_err() with IFBIF_BLOCKNONIP, which is used by bridge_ipsec() and bridge_fragment(). blocknonip and tunnels are not uncommon. btw., what OpenBSD version is this diff for? This is not -current.
Thanks for the quick reply. That was my impression too, but it seems that bridge_output is also used sometimes for forwarding ARP requests by a code path that I haven't found yet - it is not a direct forwarding, it is like some kind of a proxy-ARP mechanism. I have a modified bridge and for me it makes sense (it is for a box that bridges IP6 traffic and routes IP4 traffic - so I am blocking IP4 only with BLOCKNONIP), I just wondered why it was not there and if I was missing something. Who does call bridge_output? Isn't output always on the underlying interface, not directly on the bridge?
