How to disable pf bridge filtering

[einsibjarni]

I have an ansible playbook that deploys hosts running nomad + pot + pot task driver.

The pots I deploy are using public-bridge dual stack. Pf is enabled and my current pf.conf is generated from a template in ansible, and it blocks everything not strictly allowed. As-is, it blocks traffic from jails on the bridge interface, and IPv6 rtsol/rtadv packets.

I can't disable bridge filtering in sysctl.conf, because there has to be a bridge created before I can apply the sysctl changes.

Anybody have experience with this? Should I disable filtering in a pot hook or create a dummy bridge at boot? Or should I leave filtering enabled and add the rules I need in a sensible way?

[grembo]

@einsibjarni you have various options.

1. Personally, I would always prefer to use IP based pf.conf rules (so not messing with bridge filtering settings)
2. If you want to be able to tune bridge sysctls using /etc/sysctl.conf, it should be sufficient to load the bridge driver on boot through /etc/rc.conf (sysrc kld_list+=if_bridge)
3. If you want to make better pf.conf rules (e.g., include "antispoof" based on the interface), you can pre-create pot's bridge in rc.conf. I only ever did this for IPv4 though, for which it would look something like:

sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="inet 10.192.0.1/10"

Replace the IP with what you're using as POT_GATEWAY.

For IPv6 the selection is done by finding if the external pot interface is part of it (so it's a bit more complex). I have no experience using it, but I would assume it's something like:

sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="addm em0"
sysrc ifconfig_bridge0_aliases="inet 10.192.0.1/10 inet6 ???"

em0 is POT_EXTIF in this case. Not sure which IPv6 address you would configure on the bridge (if any).

Note that this is all from the top of my head, so take it with a grain of salt ;)

[einsibjarni]

@grembo did you have #282 ready to go? :)
It really helps in this situation, so we can pre-create the bridge interfaces and configure rules in pf beforehand

[grembo]

@grembo did you have #282 ready to go? :) It really helps in this situation, so we can pre-create the bridge interfaces and configure rules in pf beforehand

No, but when I created the example for you I checked the code and was unhappy about how it's done.