From nobody Wed Jul 30 19:42:52 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bsjLM4WSyz62xfy for ; Wed, 30 Jul 2025 19:43:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bsjLM0l9sz3MQB; Wed, 30 Jul 2025 19:43:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id B494CA64805; Wed, 30 Jul 2025 19:42:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1753904569; bh=XO6eto/ijLnQklJ/43OsGhHt4sVs+WaP09GERAvJAiU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=NFmSl5VrlmDPoWU09tGWywk/vZBgfWvtbgq6ppMgXBGN5HAKx4vLlC1VDjI/RWg9N WeFxdDyVZiMzsZwPouOF74OfEugn9csCEsXGqdjhblWDxT1sQ55GAEsnpmwVWoCrgN Ggo8iCrexud9ox22qoz6n08oX63AocZm85ubjXiqYY6D2FUvrJFgEgjbcvZKVpcKVv q6GLNtgGOesTkjPRBfEimTa51e/UZJlUv9PoQxGhEwUT40ZUT8+LmJqpASkD/RES/a XjXluGWkC4cOEE/0CW8D1daHXPo/uYOp4GWWHgpfjmgbkqTf8E6jZ3Ied6pOPmIVOP DNUFsVLpk1/593RekoN4vFv/CZtuRemmeAeOF5kutb83rd5W0z4ESWRFuxjiwSBloQ ZSbR2wzyVwMfK9zKbrfOF+BCl7misgHPx/dqhL/DTQWu8U2gbTEZOrb8heASYIJj3L 5N+XUSqgOVsdIGVgP1BAU/tSG51VK+0MJgXgRhLYAOtEZ4c1HCpmHyAw0jCdA4ujhx Z2TtbO8gj7LDdl6BGsMdhMi2aqN205p262Bmkdb+b3HVv4PcwXUkGsLOABGq0UmGqg 87EpphVoI8JKrXXl5fPhJOOHzuLw0fFKSLwI3X7xiG0EGhu4fT5ILACujR4zFQ/eKd Eic/Iihf/Av7jUzGfakjbYv0= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 9C3722D029E1; Wed, 30 Jul 2025 19:42:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id knepW1cYL1cm; Wed, 30 Jul 2025 19:42:53 +0000 (UTC) Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:a66b:b6ff:fe40:39a9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 74F9E2D029D8; Wed, 30 Jul 2025 19:42:53 +0000 (UTC) Date: Wed, 30 Jul 2025 19:42:52 +0000 (UTC) From: "Bjoern A. Zeeb" To: Lexi Winter cc: net@freebsd.org Subject: Re: vlan(4) and bridge(4) on same interface In-Reply-To: Message-ID: References: X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4bsjLM0l9sz3MQB X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] On Wed, 30 Jul 2025, Lexi Winter wrote: > hello, > > currently we allow users to create a vlan and a bridge on the same > interface, like this: > > % ifconfig ix0.100 create > % ifconfig bridge0 create addm ix0 > > i am aware that some people are using this in production, but because it > doesn't work properly[0], i would like to forbid this configuration in > 16.0, i.e. it would not be possible to add an interface to a bridge if > vlans are present on that interface, and vice versa. Sounds like a good plan. Do you intend to make it a sysctl in 15 already so people can forbid it upfront before migrating to 16, and in 16 before stable/16 just remove it all together? Or if it is not too late for 15, simply have the sysctl disabled by default in 15 and people can rescue themselves flipping it for the lifetime of 15? Given the other changes, I wonder if it would just make sense to get all the cases/possible breakage sorted in one go that way? > i am looking for feedback from people who are currently using this: I do have setups which are highly fragile (you may notice I am good at creating these silly things); I had conversations with kp@ about them in the past. dwc0 inet6 bridge0 addm dwc0 addm epair0a ; epair0b in another vnet with another 3 vlans on top vlan100 inet6 on dwc0 vlan200 inet6 on dwc0 Normally I would have put the vlan interfaces into the vnet without bridge but you cannot have the same vlan N twice on the same parent interface. Hence the bridge in the middle. Should really be three bridges and 3 epairs on 3 vlan interfaces in the base for the vnet but .. > - can you switch your untagged traffic to tagged instead and use a > vlan(4) in a bridge? e.g., > > % ifconfig ix0.100 create > % ifconfig ix0.101 create > % ifconfig bridge0 create addm ix0.101 Is this the same setup as above as we are no longer bridging the trunk in addition to having a local access VLAN or do I have a different use case in mind? > - can you switch to a vlan filtering bridge instead? e.g., > > % ifconfig bridge0 create addm ix0 vlanfilter tagged ix0 100,101 > % ifconfig bridge0.100 create > % ifconfig bridge0.101 create If I were to take my above setup, would the following do the job? (syntax may be wrong) ifconfig bridge0 addm dwc0 [vlanfilter] untagged dwc0 4000 tagged dwc0 100,200,300,400 ifconfig bridge0.4000 inet6 ... # that's the base address formerly on dwc0 for untagged on the wire ifconfig bridge0.100 inet6 .. ifconfig bridge0.200 inet6 .. ifconfig bridge0 addm epair0a [vlanfilter] tagged epair0a 100,300,400 Seems a lot cleaner and I know which problems will go away right away. > if the answer to both these questions is no, it would be helpful if you > could explain why. The only problem I need to figure out is how to transition from a netboot setup (address is on the physical interface) to something where the address migrates to the bridge without losing the NFS root mount... Has anyone found a solution for that already? /bz -- Bjoern A. Zeeb r15:7