Re: sysctls and if_bridge - FreeBSD

This is a discussion on Re: sysctls and if_bridge - FreeBSD ; Michael, good day. Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote: > > Ran into a strange problem the other day, hoping someone can shed some > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: sysctls and if_bridge

  1. Re: sysctls and if_bridge

    Michael, good day.

    Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote:
    > > Ran into a strange problem the other day, hoping someone can shed some
    > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a strange
    > > thing with my if_bridge interface. It appears as though the sysctls for
    > > determining where to enable/disable filtering don't seem to be working.
    > >
    > > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged
    > > to a second vr1 interface for my 3 other static IPs.
    > >
    > > /etc/rc.conf:
    > > ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0"
    > > ifconfig_vr1="up"
    > > cloned_interfaces="bridge0"
    > > ifconfig_bridge0="addm vr2 addm vr1 up"
    > >
    > > /etc/sysctl.conf:
    > > net.link.bridge.pfil_member=1
    > > net.link.bridge.pfil_bridge=0
    > >
    > > Based on what I've read from the man pages (and how it worked before),
    > > this should enable filtering on the vr2 and vr1 interfaces, and not the
    > > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that
    > > these sysctl settings no longer matter, and filtering is enabled on both
    > > the bridge and member interfaces. I ultimately had to tweak my
    > > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to
    > > reference bridge0 instead. Outbound rules still use vr2, and I've
    > > flipped both sysctl settings with no change in behavior. Traffic flows
    > > now, but it appears these sysctls are not working as they should, or I'm
    > > really missing something.


    Could you please post your ifconfig output?
    --
    Eygene
    _ ___ _.--. #
    \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
    / ' ` , __.--' # to read the on-line manual
    )/' _/ \ `-_, / # while single-stepping the kernel.
    `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
    _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
    {_.-``-' {_/ #

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (FreeBSD)

    iEYEARECAAYFAkjaUHMACgkQthUKNsbL7Yg/6QCdECHE+NUl1qYO5eGkdyeBA0j2
    I+4AoJ3/cpbEt3Afl8XED5AkE9o8w0+3
    =UJmE
    -----END PGP SIGNATURE-----


  2. Re: sysctls and if_bridge

    On Wed, Sep 24, 2008 at 10:36 AM, Eygene Ryabinkin wrote:

    > Michael, good day.
    >
    > Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote:
    > > > Ran into a strange problem the other day, hoping someone can shed some
    > > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a

    > strange
    > > > thing with my if_bridge interface. It appears as though the sysctls for
    > > > determining where to enable/disable filtering don't seem to be working.
    > > >
    > > > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged
    > > > to a second vr1 interface for my 3 other static IPs.
    > > >
    > > > /etc/rc.conf:
    > > > ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0"
    > > > ifconfig_vr1="up"
    > > > cloned_interfaces="bridge0"
    > > > ifconfig_bridge0="addm vr2 addm vr1 up"
    > > >
    > > > /etc/sysctl.conf:
    > > > net.link.bridge.pfil_member=1
    > > > net.link.bridge.pfil_bridge=0
    > > >
    > > > Based on what I've read from the man pages (and how it worked before),
    > > > this should enable filtering on the vr2 and vr1 interfaces, and not the
    > > > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that
    > > > these sysctl settings no longer matter, and filtering is enabled on

    > both
    > > > the bridge and member interfaces. I ultimately had to tweak my
    > > > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to
    > > > reference bridge0 instead. Outbound rules still use vr2, and I've
    > > > flipped both sysctl settings with no change in behavior. Traffic flows
    > > > now, but it appears these sysctls are not working as they should, or

    > I'm
    > > > really missing something.

    >
    > Could you please post your ifconfig output?
    > --
    > Eygene
    > _ ___ _.--. #
    > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
    > / ' ` , __.--' # to read the on-line manual
    > )/' _/ \ `-_, / # while single-stepping the kernel.
    > `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
    > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
    > {_.-``-' {_/ #
    >




    Sure! Here you go, and thanks! Bear in mind I'm using interface naming in
    /etc/rc.conf. lan, dmz, and wan are all vr interfaces, and wifi is a vap
    interface "cloned" from ath0


    lan: flags=8843 metric 0 mtu 1500
    options=280b
    ether 00:0d:b9:12:99:68
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect (100baseTX )
    status: active
    dmz: flags=8943 metric 0 mtu
    1500
    options=280b
    ether 00:0d:b9:12:99:69
    media: Ethernet autoselect (100baseTX )
    status: active
    wan: flags=8943 metric 0 mtu
    1500
    options=280b
    ether 00:0d:b9:12:99:6a
    inet 20.30.40.50 netmask 0xffffff00 broadcast 20.30.40.255
    media: Ethernet 100baseTX
    status: active
    ath0: flags=8843 metric 0 mtu 2290
    ether 00:80:48:7e:4c:e3
    media: IEEE 802.11 Wireless Ethernet autoselect mode 11g
    status: running
    pfsync0: flags=0<> metric 0 mtu 1460
    syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=141 metric 0 mtu 33204
    lo0: flags=8049 metric 0 mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    bridge0: flags=8843 metric 0 mtu
    1500
    ether 00:0d:b9:12:99:6a
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: dmz flags=143
    ifmaxaddr 0 port 2 priority 128 path cost 200000
    member: wan flags=143
    ifmaxaddr 0 port 3 priority 128 path cost 55
    wifi: flags=8843 metric 0 mtu 2290
    ether 00:80:48:7e:4c:e3
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    media: IEEE 802.11 Wireless Ethernet autoselect mode 11g
    status: running
    ssid BingoNightly channel 11 (2462 Mhz 11g) bssid 00:80:48:7e:4c:e3
    country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
    AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 scanvalid 60
    protmode CTS wme burst dtimperiod 1 -dfs




    -Proto
    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/lis...reebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"


  3. Re: sysctls and if_bridge

    Michael,

    Wed, Sep 24, 2008 at 10:45:23AM -0400, Michael Proto wrote:
    > Sure! Here you go, and thanks! Bear in mind I'm using interface naming in
    > /etc/rc.conf. lan, dmz, and wan are all vr interfaces, and wifi is a vap
    > interface "cloned" from ath0
    >
    >
    > wan: flags=8943 metric 0 mtu
    > 1500
    > options=280b
    > ether 00:0d:b9:12:99:6a
    > inet 20.30.40.50 netmask 0xffffff00 broadcast 20.30.40.255
    > media: Ethernet 100baseTX
    > status: active
    > bridge0: flags=8843 metric 0 mtu
    > 1500
    > ether 00:0d:b9:12:99:6a
    > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    > maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
    > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    > member: dmz flags=143
    > ifmaxaddr 0 port 2 priority 128 path cost 200000
    > member: wan flags=143
    > ifmaxaddr 0 port 3 priority 128 path cost 55


    Seems like you're facing the problem where bridge0 inherits its MAC from
    the 'wan' interface. Try to specify bridge0's MAC explicitely (via
    ifconfig's 'link XX:XX:XX:XX:XX:XX' arguments); you can use some random
    MAC, for example the one that is generated at the system's bootup for
    bridge0 (example from one of my hosts):
    -----
    $ dmesg | grep bridge0 | grep Ethernet
    bridge0: Ethernet address: 2e:13:01:19:11:66
    -----
    May be this will help you to work out your problems.

    If so, then you'll probably need sys/net/if_bridge.c revision 1.117,
    http://www.freebsd.org/cgi/cvsweb.cg...e=text%2Fplain

    If this won't help, I'll try to think a bit more about this issue )
    --
    Eygene
    _ ___ _.--. #
    \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
    / ' ` , __.--' # to read the on-line manual
    )/' _/ \ `-_, / # while single-stepping the kernel.
    `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
    _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
    {_.-``-' {_/ #

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (FreeBSD)

    iEYEARECAAYFAkjaX44ACgkQthUKNsbL7YitLgCdFRf8TwlXjy dvkzkeGD6jmGMp
    plgAn0tzIbWvV185yPP/mwadJXj4HNVw
    =fnth
    -----END PGP SIGNATURE-----


  4. Re: sysctls and if_bridge

    Michael, good day.

    Wed, Sep 24, 2008 at 09:12:04PM -0400, Michael Proto wrote:
    > Manually setting the bridge0 MAC to something other than the wan did work.
    > Rebuilt kernel with if_bridge.c rev 1.117 and the bridge0 MAC is now
    > randomly-generated again, and works as well.


    Glad to hear.

    > Thanks for the help!


    You're welcome )

    > I also now see the net.link.bridge.inherit_mac sysctl as specified in the
    > commit. Just curious, but would this be useful in situations where
    > pfil_member is 1 and pfil_bridge is 0?


    It depends on one's needs, as usual, but perhaps it won't be very useful
    if you'll decide to filter on _all_ bridge members. Having two interfaces
    with the same MACs within the bridge poses some problems in the case of
    a locally-destined packets, but sysctl net.link.bridge.pfil_local_phys
    can help with those.

    Filtering rules for packets that are traversing the bridge shouldn't
    be harmed by MAC inheritance, unless I am missing something.
    --
    Eygene
    _ ___ _.--. #
    \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
    / ' ` , __.--' # to read the on-line manual
    )/' _/ \ `-_, / # while single-stepping the kernel.
    `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
    _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
    {_.-``-' {_/ #

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (FreeBSD)

    iEYEARECAAYFAkjbD5kACgkQthUKNsbL7YiTHACgoT15lsV7Kb OY6ge61ZerEKdF
    ReYAnRKJMX+93XBuA1gn/Uc83y4IPSAC
    =XkKR
    -----END PGP SIGNATURE-----


+ Reply to Thread