On Sat, Mar 07, 2015 at 03:36:02PM +0100, Torbjörn Granlund wrote: > I have used pf for many years, and also Xen under NetBSD. I have never > used them in combination. Now I do, using a custom-built Dom0 kernel > with pf (as loadable kernel modules + Xen is well-known as non-working). > > Despite draconian block rules, I fail to block traffic between DomU > guests. These guests both run NetBSD PV. > > [...] > The way I understand NetBSD bridges is that they act as "level 2" > switches. The DomU systems I wish to isolate from eachother are > attached to the same bridge, bridge0. Packet to the rest of the world > go through tap0 as it is also attached to bridge0. > > This view explains why the 'block tap0' rule in ineffective; the bridge0 > switch will naturally pass packets directly from 10.0.0.2 to 10.0.0.5. > But 'block all' should, er, block it all. > > But then, how do I force this blocking? "block all dammit!". :-)
With ipf, I have to build a kernel with options BRIDGE_IPF and then add the 'ipf' keyword to all interface member of the bridge (see brconfig(8) for details; you can do this in the vif-bridge script). Reading the code, this in fact cause bridge to call pfil_hook which is not ipf-specific so I guess it should work with pf too. At last it's worth a try. -- Manuel Bouyer <[email protected]> NetBSD: 26 ans d'experience feront toujours la difference --
