2.6.0-RELEASE BRIDGE Interface “transparent firewall” ISSUE

mytsuu

Hello Everyone!

Just reporting my experience with BRIDGE interface on the new release, that's looks a packet filter bug.

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

Intel(R) Xeon(R) CPU E5607 @ 2.27GHz
8 CPUs: 2 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No

1. BRIDGE Interface “transparent firewall”

WAN bce0/bce1 as LAGG0 FAILOVER |
                                | as BRIDGE0 200.10.0.1/24
LAN em0 ----------------------- |

2. System Tunables

net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 1

• By doing that I assume BRIDGE as interface to apply all my rules leaving the WAN and LAN interfaces "Active" but without any IP and Rules configuration.

3. BRIDGE0 firewall rule
   --- IN packets

Action: Pass
Protocol: IPv4 *
Source: ANY
Destination: 200.10.0.100
Port: 8080

--- OUT packets

Action: Pass
Protocol: IPv4 *
Source: 200.10.0.100
Destination: ANY
Port: 8080

This scenario allows the 200.10.0.100 communicate IN/OUT on port 8080 "only" as configured. But in fact the OUT filter allowing all the ports, it looks like the OUT filter don't working on this 2.6.0-RELEASE. No issue on the IN filter.

As reference I have the same scenario configuration running perfectly on the 2.5.1-RELEASE.

Could someone test and verify if this is a bug?