From owner-freebsd-net@freebsd.org  Mon Jul  8 18:22:24 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C462E15E5BE3
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon,  8 Jul 2019 18:22:24 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 02D4883E28
 for <freebsd-net@freebsd.org>; Mon,  8 Jul 2019 18:22:23 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id x68IMHHv042428
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 8 Jul 2019 18:22:18 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: kudzu@tenebras.com
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id x68IMDEp009662
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Tue, 9 Jul 2019 01:22:13 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: Bridge Not Forwarding ARP
To: Michael Sierchio <kudzu@tenebras.com>
References: <CAPW8bZ2NaXB24p1mtH=A2f8ZukTPn7+PKXwUN2F0Osrn0exYNw@mail.gmail.com>
 <CAHu1Y72BjAgrM6=gFAJK6D9drAqda_oKz1V=cA4Ex18=fdFAQQ@mail.gmail.com>
 <CAPW8bZ3PE20dCaeddfBGA1FOobCa+HAxLVeHgvjKp9+B_TapkQ@mail.gmail.com>
 <9e33c592-bd64-277e-6c21-fdeba7e44a94@grosbein.net>
 <CAHu1Y70R+BwiKTLoA0KqK2xJ5YpcM_O2ApNoackm_izEFP0DJA@mail.gmail.com>
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 Dan Lists <lists.dan@gmail.com>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <e2b2da0a-77d4-2235-c5b5-1b677be2a37e@grosbein.net>
Date: Tue, 9 Jul 2019 01:22:07 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAHu1Y70R+BwiKTLoA0KqK2xJ5YpcM_O2ApNoackm_izEFP0DJA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 02D4883E28
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-2.68 / 15.00]; ARC_NA(0.00)[];
 TO_DN_EQ_ADDR_SOME(0.00)[]; MX_INVALID(0.50)[cached];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[];
 NEURAL_HAM_SHORT(-0.33)[-0.332,0];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 IP_SCORE(-0.75)[ipnet: 2a01:4f8::/29(-1.95), asn: 24940(-1.79), country:
 DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 18:22:25 -0000

09.07.2019 0:43, Michael Sierchio wrote:

> On Mon, Jul 8, 2019 at 10:33 AM Eugene Grosbein <eugen@grosbein.net> wrote:
> 
> 09.07.2019 0:19, Dan Lists wrote:
>>
>>> On Mon, Jul 8, 2019 at 11:55 AM Michael Sierchio <kudzu@tenebras.com>
>> wrote:
>>>
>>>> What's your firewall ruleset look like?  (show, don't tell)
>>> The firewall is off for testing (the machine is only on a private
>> network).
>>>  # ipfw list
>>> 65535 allow ip from any to any
>>>> What does sysctl report on the interfaces and on arp?
>>> I have not changed any settings.
>>
>> Show output of ifconfig for the bridge and for its members, too.
>> I suppose some misconfiguration like IP address assigned to member
>> interfaces that is wrong.
>> All IP addresses need to be moved to the bridge interface itself.
>>
>>
> Does 'ip' in ipfw match arp packets?

We have net.link.bridge.ipfw_arp that defaults to 0 (false):

$ sysctl -d net.link.bridge.ipfw_arp
net.link.bridge.ipfw_arp: Filter ARP packets through IPFW layer2

If one changes it to 1 so ipfw would get bridged ARP frames,
then answer to your question should depend on value of net.link.ether.ipfw (0 by default)
as ARP packets have no IP header. So if you change so many sysctls, you will be able
to filter ARP frames with "ip" keyword as "ip" equals to "all" in ipfw.