From nobody Mon May 19 18:09:08 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b1QgF5jvPz5wCL9
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Mon, 19 May 2025 18:09:13 +0000 (UTC)
	(envelope-from hausen@punkt.de)
Received: from BEUP281CU002.outbound.protection.outlook.com (mail-germanynorthazon11020074.outbound.protection.outlook.com [52.101.169.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (secp384r1) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4b1QgF369rz40Tr
	for <freebsd-net@freebsd.org>; Mon, 19 May 2025 18:09:13 +0000 (UTC)
	(envelope-from hausen@punkt.de)
Authentication-Results: mx1.freebsd.org;
	none
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=Pemh61JWuieSG6TAOLHcfPltq5TL//ncNk2VjlEcf5wsKMNfFZdZaFAQDVKfqyC9RaPe6e/iN2tt+GEZwr9M30jR7HoB61BGPpuTbbtcf6ZgKZwv/K5xUSEr4YJdO7bgPLT6RHUOk00DXPhjdEw4IAjlK4ioz3OF5oaNN8r9ly0wpqcHH/sAxnY1htye7kTakX4frqJR8siNYsFvVbh82djtdCJ9iMXQUmvPTXtSpMuuIwbjJW3l47+ro+VgbH1zhp/HWKkgSY81JeIpmeVjGpaIcp6o4QQeiAt/u4XYr1EKChFVfwc9s/N2K+GCoCJrs8F7EDSIWMYIY6NjOPcNEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=3nvX6JuulOiKKCNHzu5fHnEYFzawPLJx5kR4bTBTSHY=;
 b=YNDGEx7T0JvjnLEJCC2ZmFCnqAPS7VQTCGEHnMV1p0+mW75DxqqBNnKL6E/x4veGU7gha2itEQzUwM7lig6J8AEodQ6L6e0BI5+6sOB74UCuKIthqN0TfIezDvzNq+/mPrqokEZCXbBYm2LvmKN93DZIaKZ2Z0w1a1JpfaDrDlEy2dFDiz/PKJk/tXcGkGSAM4O5bgd7Mqq9rQ/HZ9ymziqlq80/KY3RW1UfwiYnAsa9n1zog4Q7wXpzc9UNXnynfQ0AgcNO+6tTGZP0CCyJEbZmZTad3TXfIAuSdCjTcodkcSK4BoCITuhF2EKIpPyDi7N55/YW2xtLfIXaE2fZZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=punkt.de; dmarc=pass action=none header.from=punkt.de;
 dkim=pass header.d=punkt.de; arc=none
Received: from BE1P281MB3156.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:68::6) by
 FR2PPFE29E61F43.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d18:2::9f) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8746.30; Mon, 19 May 2025 18:09:08 +0000
Received: from BE1P281MB3156.DEUP281.PROD.OUTLOOK.COM
 ([fe80::47b3:d399:d24b:4059]) by BE1P281MB3156.DEUP281.PROD.OUTLOOK.COM
 ([fe80::47b3:d399:d24b:4059%3]) with mapi id 15.20.8746.030; Mon, 19 May 2025
 18:09:08 +0000
From: "Patrick M. Hausen" <hausen@punkt.de>
To: Paul Vixie <paul@redbarn.org>
CC: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:
 =?Windows-1252?Q?Re:_HEADS_UP:_15.0-CURRENT,_change_to_bridge(4)_might_br?=
 =?Windows-1252?Q?eak_some_network_configurations_with_=93Invalid_argument?=
 =?Windows-1252?Q?=94?=
Thread-Topic:
 =?Windows-1252?Q?HEADS_UP:_15.0-CURRENT,_change_to_bridge(4)_might_break_?=
 =?Windows-1252?Q?some_network_configurations_with_=93Invalid_argument=94?=
Thread-Index: AQHbyKmUdaUyXxqfqECQgqVRkzkLkbPaNXaAgAALZIA=
Date: Mon, 19 May 2025 18:09:08 +0000
Message-ID: <A86055C1-4EDF-4C70-915B-38B9812DA669@punkt.de>
References: <aCsJDjfCNk5pA59c@ragweed.eden.le-fay.org>
 <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org>
In-Reply-To: <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BE1P281MB3156:EE_|FR2PPFE29E61F43:EE_
x-ms-office365-filtering-correlation-id: 367c8244-b214-429b-b80e-08dd97003fbf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam:
 BCL:0;ARA:13230040|366016|1800799024|10070799003|376014|38070700018;
x-microsoft-antispam-message-info:
 =?Windows-1252?Q?F3kEudHfzl1C2Wyh/bAwxvo6Fw7fnWhRsz+IeGkyLUqdJSermYSRt+l8?=
 =?Windows-1252?Q?OYBMuKE9H9n0eOYUey5jZTI60hSwJ3ID7nsTLTOIf8IN7DcaTQSTn1bY?=
 =?Windows-1252?Q?W3ChzvSAZ9XesLCLeeG9L5sFXNhzxNUGDVypgpZr4z6P8mbxWd/gZ1fh?=
 =?Windows-1252?Q?O3+BX15SkDIHvd7edsnd6ojTg8suPsxU+os8vVJSO9soEZL5X5uk8PxP?=
 =?Windows-1252?Q?6vunOA6BRtA+EaxYZwYdTXQuW9/1hKJTXQ4GV+fz4AAdMcD/SxWB9rHh?=
 =?Windows-1252?Q?qANNxIrNElm1P3WBbkuD0GEhe0sNudCSW9wRBn9XXHz0P1UYn2ql6pZu?=
 =?Windows-1252?Q?pzoRaYg2s7Q2aeNkCbrFVyUCApevbH70eDmEkX8hnlS4OvyeagE9rTep?=
 =?Windows-1252?Q?xUj6vmf9FPLEsdeIXOaZTErV3E2MCm/r1giY7JmqZ1CEMwlhcjhsT3YS?=
 =?Windows-1252?Q?QlhONFyHHato0bknPzbaG7Svfp+M6WFbyWu6AlNxKI+Z47mMM9XKZlc7?=
 =?Windows-1252?Q?8IuDVEvy2xUhp/z2PcKTM+dtfCGfpMBKDhSofe3XBgTd1CBipnBBvAqP?=
 =?Windows-1252?Q?NLezuHv0OpYz/QfYcKA2142kBhR5PhVPVSbtTECe0lbNq24saLhQcgUc?=
 =?Windows-1252?Q?CcU6Ab+q61MOCX5YkaYDY6gCIIiRZzTCHZcMDpSwoaiEgxkKoroCUuQn?=
 =?Windows-1252?Q?LIm/DWA2+c7+mcp+Cmm+z8bXvIzAGmyiFuckC74OZsQD1My0760g6l8b?=
 =?Windows-1252?Q?QjJD+wSmx4F2wI9yYi4TqXmoOoESRtYbXvwOYuGFTziHlV8f6gztI82j?=
 =?Windows-1252?Q?qDToFUBLp2iXplJg6LhlOdJGmYi6t4Sy63CDSoq7J88qxeTwi/gfM9qU?=
 =?Windows-1252?Q?J2JB7G/JdrsFlO4tH8pZ5Y4Jak2YvWSFKBiyqHCynYd5yHISvruX0HYJ?=
 =?Windows-1252?Q?DDOMEig3Hx8yCh2kz/kXzXJaRXS+MF14iDRCqLvamLczCv74iAnawu83?=
 =?Windows-1252?Q?aQZ6N5TXAkfO7ZdJTDSFxiHWHo/f3SwTr/QNWxAbyQOz6XgGzQlYVbQL?=
 =?Windows-1252?Q?N8Rl28CIhcIjdSxVA3ojl6xOKfjkdnaCOda8fD4uBT/a2FqPXJVeazkQ?=
 =?Windows-1252?Q?ijRFluOYS+RiiEXQLwLwMM+axuwVP8R0IrAco4vvqKxbKJcKQkNlyANo?=
 =?Windows-1252?Q?DeYev6s5MJ+RsBeRPXvlaJ6uokpYiAIACO63IFP+dJ1/hjGRaurs0kIx?=
 =?Windows-1252?Q?HRzfpUPv9QCmTmNlXgF0oj+nboPjQ8PNPzWAmD6bXc7c7PEBhincTC87?=
 =?Windows-1252?Q?TYZ1GPdTwfZEDyYzD6KjUCuP5CV22+DGfqslm3IIg3IBmppbyAYukEh/?=
 =?Windows-1252?Q?wBCOoJz5kCUMHsqMvFIrEFJUPzoqrW2wqj8Y1b0PlB2oyCWBT/f2AZyh?=
 =?Windows-1252?Q?h5Hgy37FJNh4VDypt7c/NnYRuem9hzSsh9ts9DSNOrAuqkzFFp+REXV7?=
 =?Windows-1252?Q?z6e012lVMbl1hffO626Mja7X3FMwX9068D6lvaeADKIl8SS650/oe/kN?=
 =?Windows-1252?Q?rAJ6C9AJ1oLRhgJZubPuLLkOSUGmdcUjGaVY8w=3D=3D?=
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BE1P281MB3156.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(10070799003)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?Windows-1252?Q?9YkA5odqQnRtz/AHlokmry/3xfuyhjbnHTw4k2KPdD59E3WTNGM31ZYz?=
 =?Windows-1252?Q?8Z3TI+9+OCOxFO92iOKqlWu13Ce2o6iSQXPiB+JYyBb6Ox5UZWalhFiH?=
 =?Windows-1252?Q?lHKiuWVZKBwO0u7EKioyOwdADAAN/z2Y7hkpq3e0ImyKvxRfCT8zHDYn?=
 =?Windows-1252?Q?DAnKxAdnm9VTeoFkbEzYJtBbJtEyS+ifHBr63fa5fgmm+U5u/8CeI08u?=
 =?Windows-1252?Q?J0ICMciR18sto9e8DB/CDG+bmAZ3NY3xp5w8Cmp33r0qMDmLhTKyp9/y?=
 =?Windows-1252?Q?81eCo5ciAjA9x+6O2c8l9sqsMb7ah8EHSBxRholmqZMoEixSLp7bWfk7?=
 =?Windows-1252?Q?2oG4LeLPazLzocRNhT9USoYTRehQlU63Lx8rrYTP9HrxJcQGWPY5VIIK?=
 =?Windows-1252?Q?D/b8xX6+3QTMUcRG3k9YXAf6jHlLh7+/a1ShWVdbvfmCHmm96db7a9Lf?=
 =?Windows-1252?Q?fWgZrdVW4vNfvx24/hoqQ5JtRdaYGR2JMd63brF0aldhlGF4NqLewuHh?=
 =?Windows-1252?Q?JxBXzWSnFZF9elk+snhgKQ1bLri17y+YfZ8M12Lfsw3lzIYY6TpLiQJv?=
 =?Windows-1252?Q?8DLoQFRruFLzU0xre4AJ9OWtw7BtyntswAZIJE+RlHQabD0XGeiFkoWK?=
 =?Windows-1252?Q?sedVMGE4v6UKXt3RrHCNfpILvpDOmWDooL+CC4S2vYWrKRjeTLrOsLsA?=
 =?Windows-1252?Q?SBRoQ604wBJKKrSgkNpn4OJXCTGaMN73sRjcGmQLycvGpcBlKyVAqoJk?=
 =?Windows-1252?Q?SO34mHOefAuBczQwHSuSNwxh0eBWXoWXZ2PartYbNRFSNOYVE7pPM+BW?=
 =?Windows-1252?Q?nFvLyXUB/U9IXFg+Y7OUtHCDA30oTJ1iZ64ky4rtu/6akwjJyAAJ1SyM?=
 =?Windows-1252?Q?+SrE9ZcHes/1fHQC8gPUHAQJdTpk7OMZv746Gh7OUZ0nrADjauw10c3X?=
 =?Windows-1252?Q?j/STAWWGtmphrYvl8EeX35lR93Ecyd2j8r0uPjq2vnluYyxXikTzQBEv?=
 =?Windows-1252?Q?5upj7VBTrOuSde5vD22NaD+HzKkL5MXbwc61mFaXDJhWbzqLjKwHuXXw?=
 =?Windows-1252?Q?PLO8hY39Yg7cjRTgzgUtdqPAfnAbmar+zNIS14rLI7h4Sr/HRai5V0W9?=
 =?Windows-1252?Q?knZU3HfC8OgGZo7ySEMKSHOmnV7qRYMKL6ap3S53PFUGe3jNO+n+3TKH?=
 =?Windows-1252?Q?yYkTEbAcquFWUzFFCziWsjDUmsv2uXC+30bsT0k5MP0eR+ANKfZKSW1B?=
 =?Windows-1252?Q?9ZRnsVmDK2uog3IevQlkoWPNjODWjINIq+VHsnZi6iUsNXqGDwdPZeQn?=
 =?Windows-1252?Q?9JMxC8HFH2SIC7Tyeu58AK1g+oR7pmbXiGmaYpgYfpT+WPEtQ7IQuYvn?=
 =?Windows-1252?Q?x7+I2p7Sp4FVvL2Q9VVmqr0+RQJnLIfjHi1Ghlh0fazSIOs7q8asVGun?=
 =?Windows-1252?Q?RtxPn70VRfK1DoDb0gpxtULYNvkK/rsy+oRwXxXnPG3UckbXFZFUrGLC?=
 =?Windows-1252?Q?pVikxmv59lWmLXPidZOnYncf3XC1uO+XsHzUKUU4UfQPz02UdTuggDs4?=
 =?Windows-1252?Q?V5qDh1amV32jqA0u0/PJxN+BBkwrfOUy6iJf866NNzXuMckAtY/FkFT6?=
 =?Windows-1252?Q?kwHzijiIk6HFTencqELKzTB5syp7sivarvj/3t1CcVch5Ea4Nk1nd6t0?=
 =?Windows-1252?Q?t5IFoN9DPchOpKXvo6qVE8ozEUKX0pXebjdO0bnEuFUN71U6QtVZMmyY?=
 =?Windows-1252?Q?yNXXfYYqbwCw1NK4hQ14mK//sdBjURs1uORIiohA?=
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <ADB886B41B2E8D40A78BAAA255D62992@DEUP281.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
X-OriginatorOrg: punkt.de
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BE1P281MB3156.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 367c8244-b214-429b-b80e-08dd97003fbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2025 18:09:08.1525
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1aa1808-3734-45fc-a490-f8ba49028756
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zb72AQL02Cv0UCOQ2oYdPud7+v+q7fTeMworSJndIwzvlORONYKUmuYhcJI7Sleo
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2PPFE29E61F43
X-Rspamd-Queue-Id: 4b1QgF369rz40Tr
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:8075, ipnet:52.96.0.0/12, country:US]
X-Spamd-Bar: ----

Hi all,

> Am 19.05.2025 um 19:28 schrieb Paul Vixie <paul@redbarn.org>:
>=20
> If we move all member ifaddrs to the bridge itself, then will arp request=
s always have to be broadcast on all member interfaces? If so this is intol=
erable from a security perspective, a complete nonstarter.

I am not quite sure I follow.

A bridge by definition creates a single broadcast domain
so any frame with a layer 2 broadcast destination address
must necessarily be flooded to all member ports.

If you want separate broadcast domains for e.g. a dozen
of epairs you place an IP address on the host side, another
IP address in a matching prefix on the jail side, and use the
host as the default gateway for the jail.

If you want a couple of jails to share a "virtual switch" you
place no IP addresses on any of the host sides, only on
the jail sides - all in the same prefix - and a single address
on the bridge to again provide the default gateway to the
jails.

You either place IP addresses on interfaces, but then don't
bridge but route. Or you bridge, but then do not put IP
addresses on the bridge members.

This restriction has been in place since the introduction of
if_bridge(4) in FreeBSD in 2005.

I insist on repeating this point although I am not participating
in developmen of networking or any part of the kernel, mainly because
- as some might know - I am a very active member of the
FreeNAS/TrueNAS community providing a lot of free support.

And during the years the main FreeNAS/TrueNAS platform was
FreeBSD the proper configuration of networking for jails was
one of the by far most frequent support issues occurring.

Mainly because iX had got their own implementation wrong
in the first place, so you needed to manually work around
FreeNAS' defaults.

Kind regards,
Patrick=