Re: sysctls and if_bridge

Printable View

09-24-2008, 02:36 PM
unix

Re: sysctls and if_bridge

Michael, good day.

Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote:[color=blue][color=green]
> > Ran into a strange problem the other day, hoping someone can shed some
> > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a strange
> > thing with my if_bridge interface. It appears as though the sysctls for
> > determining where to enable/disable filtering don't seem to be working.
> >
> > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged
> > to a second vr1 interface for my 3 other static IPs.
> >
> > /etc/rc.conf:
> > ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0"
> > ifconfig_vr1="up"
> > cloned_interfaces="bridge0"
> > ifconfig_bridge0="addm vr2 addm vr1 up"
> >
> > /etc/sysctl.conf:
> > net.link.bridge.pfil_member=1
> > net.link.bridge.pfil_bridge=0
> >
> > Based on what I've read from the man pages (and how it worked before),
> > this should enable filtering on the vr2 and vr1 interfaces, and not the
> > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that
> > these sysctl settings no longer matter, and filtering is enabled on both
> > the bridge and member interfaces. I ultimately had to tweak my
> > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to
> > reference bridge0 instead. Outbound rules still use vr2, and I've
> > flipped both sysctl settings with no change in behavior. Traffic flows
> > now, but it appears these sysctls are not working as they should, or I'm
> > really missing something.[/color][/color]

Could you please post your ifconfig output?
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkjaUHMACgkQthUKNsbL7Yg/6QCdECHE+NUl1qYO5eGkdyeBA0j2
I+4AoJ3/cpbEt3Afl8XED5AkE9o8w0+3
=UJmE
-----END PGP SIGNATURE-----
09-24-2008, 02:45 PM
unix

Re: sysctls and if_bridge

On Wed, Sep 24, 2008 at 10:36 AM, Eygene Ryabinkin <rea-fbsd@codelabs.ru>wrote:
[color=blue]
> Michael, good day.
>
> Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote:[color=green][color=darkred]
> > > Ran into a strange problem the other day, hoping someone can shed some
> > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a[/color][/color]
> strange[color=green][color=darkred]
> > > thing with my if_bridge interface. It appears as though the sysctls for
> > > determining where to enable/disable filtering don't seem to be working.
> > >
> > > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged
> > > to a second vr1 interface for my 3 other static IPs.
> > >
> > > /etc/rc.conf:
> > > ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0"
> > > ifconfig_vr1="up"
> > > cloned_interfaces="bridge0"
> > > ifconfig_bridge0="addm vr2 addm vr1 up"
> > >
> > > /etc/sysctl.conf:
> > > net.link.bridge.pfil_member=1
> > > net.link.bridge.pfil_bridge=0
> > >
> > > Based on what I've read from the man pages (and how it worked before),
> > > this should enable filtering on the vr2 and vr1 interfaces, and not the
> > > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that
> > > these sysctl settings no longer matter, and filtering is enabled on[/color][/color]
> both[color=green][color=darkred]
> > > the bridge and member interfaces. I ultimately had to tweak my
> > > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to
> > > reference bridge0 instead. Outbound rules still use vr2, and I've
> > > flipped both sysctl settings with no change in behavior. Traffic flows
> > > now, but it appears these sysctls are not working as they should, or[/color][/color]
> I'm[color=green][color=darkred]
> > > really missing something.[/color][/color]
>
> Could you please post your ifconfig output?
> --
> Eygene
> _ ___ _.--. #
> \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
> / ' ` , __.--' # to read the on-line manual
> )/' _/ \ `-_, / # while single-stepping the kernel.
> `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
> _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
> {_.-``-' {_/ #
>[/color]

Sure! Here you go, and thanks! Bear in mind I'm using interface naming in
/etc/rc.conf. lan, dmz, and wan are all vr interfaces, and wifi is a vap
interface "cloned" from ath0

lan: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:0d:b9:12:99:68
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dmz: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:0d:b9:12:99:69
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
wan: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:0d:b9:12:99:6a
inet 20.30.40.50 netmask 0xffffff00 broadcast 20.30.40.255
media: Ethernet 100baseTX <full-duplex>
status: active
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:80:48:7e:4c:e3
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether 00:0d:b9:12:99:6a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: dmz flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 200000
member: wan flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 55
wifi: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:80:48:7e:4c:e3
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
ssid BingoNightly channel 11 (2462 Mhz 11g) bssid 00:80:48:7e:4c:e3
country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 scanvalid 60
protmode CTS wme burst dtimperiod 1 -dfs

-Proto
_______________________________________________
[email]freebsd-current@freebsd.org[/email] mailing list
[url]http://lists.freebsd.org/mailman/listinfo/freebsd-current[/url]
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
09-24-2008, 03:41 PM
unix

Re: sysctls and if_bridge

Michael,

Wed, Sep 24, 2008 at 10:45:23AM -0400, Michael Proto wrote:[color=blue]
> Sure! Here you go, and thanks! Bear in mind I'm using interface naming in
> /etc/rc.conf. lan, dmz, and wan are all vr interfaces, and wifi is a vap
> interface "cloned" from ath0
>
>
> wan: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
> ether 00:0d:b9:12:99:6a
> inet 20.30.40.50 netmask 0xffffff00 broadcast 20.30.40.255
> media: Ethernet 100baseTX <full-duplex>
> status: active
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> ether 00:0d:b9:12:99:6a
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> member: dmz flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> ifmaxaddr 0 port 2 priority 128 path cost 200000
> member: wan flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> ifmaxaddr 0 port 3 priority 128 path cost 55[/color]

Seems like you're facing the problem where bridge0 inherits its MAC from
the 'wan' interface. Try to specify bridge0's MAC explicitely (via
ifconfig's 'link XX:XX:XX:XX:XX:XX' arguments); you can use some random
MAC, for example the one that is generated at the system's bootup for
bridge0 (example from one of my hosts):
-----
$ dmesg | grep bridge0 | grep Ethernet
bridge0: Ethernet address: 2e:13:01:19:11:66
-----
May be this will help you to work out your problems.

If so, then you'll probably need sys/net/if_bridge.c revision 1.117,
[url]http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/sys/net/if_bridge.c?rev=1.117;content-type=text%2Fplain[/url]

If this won't help, I'll try to think a bit more about this issue ;))
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkjaX44ACgkQthUKNsbL7YitLgCdFRf8TwlXjydvkzkeGD6jmGMp
plgAn0tzIbWvV185yPP/mwadJXj4HNVw
=fnth
-----END PGP SIGNATURE-----
09-25-2008, 04:12 AM
unix

Re: sysctls and if_bridge

Michael, good day.

Wed, Sep 24, 2008 at 09:12:04PM -0400, Michael Proto wrote:[color=blue]
> Manually setting the bridge0 MAC to something other than the wan did work.
> Rebuilt kernel with if_bridge.c rev 1.117 and the bridge0 MAC is now
> randomly-generated again, and works as well.[/color]

Glad to hear.
[color=blue]
> Thanks for the help![/color]

You're welcome ;))
[color=blue]
> I also now see the net.link.bridge.inherit_mac sysctl as specified in the
> commit. Just curious, but would this be useful in situations where
> pfil_member is 1 and pfil_bridge is 0?[/color]

It depends on one's needs, as usual, but perhaps it won't be very useful
if you'll decide to filter on _all_ bridge members. Having two interfaces
with the same MACs within the bridge poses some problems in the case of
a locally-destined packets, but sysctl net.link.bridge.pfil_local_phys
can help with those.

Filtering rules for packets that are traversing the bridge shouldn't
be harmed by MAC inheritance, unless I am missing something.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkjbD5kACgkQthUKNsbL7YiTHACgoT15lsV7KbOY6ge61ZerEKdF
ReYAnRKJMX+93XBuA1gn/Uc83y4IPSAC
=XkKR
-----END PGP SIGNATURE-----