bridge doesn't call the filters on outbound.
That only affects locally generated packets. It is debatable whether
that is a bug or a (questionable) design decision. The impact on
existing setups needs to be evaluated; I'm very unsure. But then I'm
not the biggest bridge fan on earth and have never seen anyone using
the bridge filters in a real world scenario until now, afair.
ok?
Index: sys/net/if_bridge.c
===================================================================
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.298
diff -u -p -r1.298 if_bridge.c
--- sys/net/if_bridge.c 17 Aug 2017 10:14:08 -0000 1.298
+++ sys/net/if_bridge.c 25 Oct 2017 13:32:36 -0000
@@ -734,6 +734,7 @@ bridge_output(struct ifnet *ifp, struct
struct ether_addr *dst;
struct bridge_softc *sc;
struct bridge_tunneltag *brtag;
+ struct bridge_iflist *ifl;
int error;
/* ifp must be a member interface of the bridge. */
@@ -819,6 +820,12 @@ bridge_output(struct ifnet *ifp, struct
continue;
}
}
+
+ ifl = (struct bridge_iflist *)dst_if->if_bridgeport;
+ KASSERT(ifl != NULL);
+ if (bridge_filterrule(&ifl->bif_brlout, eh, mc) ==
+ BRL_ACTION_BLOCK)
+ continue;
error = bridge_ifenqueue(sc, dst_if, mc);
if (error)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
