Solved how to block bhybe vms ipv4 and ipv6 traffics with host's pf in freebsd14.2 ?

[fff2024g]

Dear all :
i have a machine with freebsd14.2 and bhybe . i have enabled pf firewall in freebsd14.2 host, and use bhybe create some vms . this host just have only one network interface em0 . below was information .
1. em0 have double stacks with ipv4 and ipv6.

2.vm switch list
NAME TYPE IFACE ADDRESS PRIVATE MTU VLAN PORTS
public standard vm-public - no - - em0

3. pf rules
#options -------------------------------------------------
set skip on lo0
scrub in all
block log all

. now my questions :
1. the host can be block all traffic with pf .
2. the bhyve vms can go anywhere , the pf can't stop any traffics. why ? how to use host's pf block bhyve vms traffic ?
thanks.

 

[SirDice]

PACKET FILTERING
     Packet filtering can be used with any firewall package that hooks in via
     the pfil(9) framework.  When filtering is enabled, bridged packets will
     pass through the filter inbound on the originating interface, on the
     bridge interface and outbound on the appropriate interfaces.  Either
     stage can be disabled.  The filtering behavior can be controlled using
     sysctl(8):

     net.link.bridge.pfil_onlyip  Controls the handling of non-IP packets
                                  which are not passed to pfil(9).  Set to 1
                                  to only allow IP packets to pass (subject to
                                  firewall rules), set to 0 to unconditionally
                                  pass all non-IP Ethernet frames.

     net.link.bridge.pfil_member  Set to 1 to enable filtering on the incoming
                                  and outgoing member interfaces, set to 0 to
                                  disable it.

     net.link.bridge.pfil_bridge  Set to 1 to enable filtering on the bridge
                                  interface, set to 0 to disable it.

bridge(4)

 

[Kristof Provost]

PACKET FILTERING
     Packet filtering can be used with any firewall package that hooks in via
     the pfil(9) framework.  When filtering is enabled, bridged packets will
     pass through the filter inbound on the originating interface, on the
     bridge interface and outbound on the appropriate interfaces.  Either
     stage can be disabled.  The filtering behavior can be controlled using
     sysctl(8):

     net.link.bridge.pfil_onlyip  Controls the handling of non-IP packets
                                  which are not passed to pfil(9).  Set to 1
                                  to only allow IP packets to pass (subject to
                                  firewall rules), set to 0 to unconditionally
                                  pass all non-IP Ethernet frames.

     net.link.bridge.pfil_member  Set to 1 to enable filtering on the incoming
                                  and outgoing member interfaces, set to 0 to
                                  disable it.

     net.link.bridge.pfil_bridge  Set to 1 to enable filtering on the bridge
                                  interface, set to 0 to disable it.

bridge(4)

Please just don't. The pfil integration with if_bridge is an ugly hack and has many bugs waiting to ambush you.

The best way to do this is to route the VM traffic you want to filter (rather than bridging it). If you insist on layer 2 filtering at least use a layer 2 aware firewall: use ipfw instead.
(Yes, pf has basic ethernet filtering, but it's stateless and way too limited to do reasonable VM filtering.)

 

[fff2024g]

Please just don't. The pfil integration with if_bridge is an ugly hack and has many bugs waiting to ambush you.

The best way to do this is to route the VM traffic you want to filter (rather than bridging it). If you insist on layer 2 filtering at least use a layer 2 aware firewall: use ipfw instead.
(Yes, pf has basic ethernet filtering, but it's stateless and way too limited to do reasonable VM filtering.)

Dear Kristof provost :
thanks for your help . i will fellow your guidance routing all bhyve vm's traffic to em0, and then filter it with pf . thanks.