From nobody Wed Jul 30 21:10:22 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bslH25lJ9z632lK for ; Wed, 30 Jul 2025 21:10:22 +0000 (UTC) (envelope-from ivy@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bslH24nPQz3X7k; Wed, 30 Jul 2025 21:10:22 +0000 (UTC) (envelope-from ivy@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753909822; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xDy1DN/1MJTEpCimhBe4kGzHxwfNj/0lLBFlU8eDBWU=; b=Qse/c1GJ3yK3VTkhAAh8VG63mpK24VsuSLu7jX56uE4tsQPMwwx73voP/c6nysWzP8qTHS Ix2T7rlKQiz++31nq08OJgKA6I2SH9AkrQH6Mhogr/0M39fY0j/ffjAZrIHJy6nSO62AnX AF4rxGg/2Dw1/rhWO3IBH+eQBIPnDEjFuujdRCcSXtehFqTG9YmPZGa20VZyYq63kWKtUn Ijwiu5J5JKVvkcViIIrAEoUI6nab41z3wJ4uiIEUUH/RpgUQ6TinwadnKaHUN1Ip1T0ZIE pZmh23jTQRyShHtYyKCVfYpIw3aWkLkJGDBNdnlFYT+yzp9ZaC1ifl0JWlc04Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753909822; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xDy1DN/1MJTEpCimhBe4kGzHxwfNj/0lLBFlU8eDBWU=; b=p6xpPPKQzEDXyiDfnm7V5lVq0/7Ehz3GJf4AkoasQyWIbz8g/OJA1mpgWdAksvjFc2hNZV oY/2zK4j3yP7Szo0GwmvuASj3XjXVnsmDqeHKYreT7ewpjOcn5Jh1lA7JqYTxe4o4hCT7n /76WoO9jkGS1kJpr/ACv8XWhqmAuA8VFF3MkEMpU3iwMmkIJj7MwO+e62N9tvULqXFo5nA yguOP9KK42nns8ofQE+Ns6kOIQEDTMe52Zv2I+8/nS3pO+hu2lzpwm6H3jbhPw5eDAgich 81Xj6y17UnKOcfwKmQA98/QW4J7YjGWXATPo59UGTVeme7hSQPwOb9h75QhUTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753909822; a=rsa-sha256; cv=none; b=mDSZ2kDwaWofEonr+BtrVe8Azr9nI209CoPOera18jyl9eFgFJgtwnio1UHdsXPc+Fkpjx +2kYsyNnfub6VefagS3VMcQwBKnJOPMhX11HWePsnTs0yUmLMsAetw4RGJjB0SrBRTFltW 04x8L7evISPcnUv7ZQrhxrx9lYISGLcLU/5Fsxok5Ug/xOGBJjT2cSB5riTb6hVC92QZN9 1D6TJTURVJAru10+iMWSAJtYPkEFWCbAc38yLwsiO0GUY6yFApiqJpdlxP7aywFNWVqeAF Dzen8Kn6inFrqHT0G870QaQqHoM2gHvU/cMMqt+blwiFmpNy4YJRKMrGshGYmw== Received: by freefall.freebsd.org (Postfix, from userid 1532) id 9808223B7C; Wed, 30 Jul 2025 21:10:22 +0000 (UTC) Date: Wed, 30 Jul 2025 22:10:22 +0100 From: Lexi Winter To: "Vladimir B. Grebenschikov" Cc: net@freebsd.org Subject: Re: vlan(4) and bridge(4) on same interface Message-ID: Mail-Followup-To: "Vladimir B. Grebenschikov" , net@freebsd.org References: <41044116-542D-447B-9831-B31F75688D56@fbsd.ru> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="S9MWxLbQ7Bk5XNkm" Content-Disposition: inline In-Reply-To: <41044116-542D-447B-9831-B31F75688D56@fbsd.ru> --S9MWxLbQ7Bk5XNkm Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Vladimir B. Grebenschikov: > % ifconfig ix0 description "trunked uplink" > % ifconfig ix1 description "another trunked link" > % ifconfig bridge0 create addm ix0 ix1 > % ifconfig bridge0.100 create description "Host interface here" >=20 > so far everything fine - normal usage, bridge handels trunked traffic >=20 > now I wish to have a number of jails attached to VLAN 101, so I will: >=20 > % ifconfig bridge0.101 create up description "unwrap VLAN 101" this is fine, but an interface of this type should only be used for routed traffic, i.e. for the host itself to communicate on the network. so you would not attach VMs/jails to this interface. >[...] > what cbsd (just another jail management software) will do underneath? > something like: >=20 > % ifconfig bridge1 addm bridge0.101 addm epair0a addm epair1a addm epair2a =20 you can not put bridge0.101 interface into another bridge. previously this would panic, since Monday (or so) it's rather disallowed. what you want to do is this: ifconfig epair0 create ifconfig epair1 create ifconfig epair2 create ifconfig bridge0 create vlanfilter \ addm epair0a untagged epair0a 101 \ addm epair1a untagged epair1a 101 \ addm epair2a untagged epair2a 101 now put the other ends of the epairs (epair0b, ...) into your vnet jails, and the jails will be connected to VLAN 101 on the bridge. if the host will be the router for the jails, then configure the IP address on bridge0.101 and jails will be able to reach this via L2. i cannot say how CBSD would/should handle this, but i expect jail/vm management tools should be modified to support the new behaviour. however, if your management software simply does "addm epairX", then there is a way to cheat here: ifconfig bridge0 create vlanfilter defuntagged 101 now, every interface you add to the bridge gets "untagged 101" automatically unless you specify something else. (NB: this functionality is not available until D51600 lands, but as i said in my other mail, hopefully that's very soon.) > But on the other hand, having something that in the real world can be > represented as a dumb switch with no VLAN support (and no way to > misconfigure it) to connect a room of PCs, where all unwrapping and > ACLs are configured once on the smart switch port where the dumb > switch is plugged in =E2=80=93 also makes sense. the problem is, if you want a bridge and a vlan(4) on the same interface, the bridge can't just be a dumb switch because it needs to know whether tagged frames should be sent to vlan(4) or handled by the bridge itself, so it always needs at least some awareness of the existence of vlans. if you want a bridge that doesn't know *anything* about VLANs, unfortunately this has not existed since 2007 when VLAN support was first added to bridge(4). you might find ng_bridge can do this, i don't know much about that. --S9MWxLbQ7Bk5XNkm Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaIqKOgAKCRD1nT63mIK/ YEJuAQDDojX3Xlj5FXKq+A28OCVkRYc6zqXRUvIo+5IudfuUagEA/JYiVteTsfye SOU+LX0DrYdPKdYkH9dy4ugycZ4xewo= =Vj28 -----END PGP SIGNATURE----- --S9MWxLbQ7Bk5XNkm--