On 22/11/15(Sun) 01:11, Momtchil Momtchev wrote: > On 22/11/2015 00:34, Reyk Floeter wrote: > >On Sat, Nov 21, 2015 at 04:22:51PM +0100, Momtchil Momtchev wrote: > >> Hello, > >> > >> Sorry for what may appear to be a strange question, but shouldn't there > >>be a check against IFBIF_BLOCKNONIP in bridge_output() in > >>sys/net/if_bridge.c? > >> > >Why? bridge_output() is used for packets that are sent from local > >interfaces. I think you should be aware if you're running any non-IP > >service on your OpenBSD machine. > > > >I think your change would also break bridge_send_icmp_err() with > >IFBIF_BLOCKNONIP, which is used by bridge_ipsec() and > >bridge_fragment(). blocknonip and tunnels are not uncommon. > > > >btw., what OpenBSD version is this diff for? This is not -current. > > Thanks for the quick reply. That was my impression too, but it seems > that bridge_output is also used sometimes for forwarding ARP requests by a > code path that I haven't found yet - it is not a direct forwarding, it is > like some kind of a proxy-ARP mechanism. I have a modified bridge and for me > it makes sense (it is for a box that bridges IP6 traffic and routes IP4 > traffic - so I am blocking IP4 only with BLOCKNONIP), I just wondered why it > was not there and if I was missing something. Who does call bridge_output? > Isn't output always on the underlying interface, not directly on the bridge?
If you want some help you need to provide the information that allows us to help you. Which version are you running? Can you describe the problem you're facing *without* any modification on such version?
