Date: Sun, 6 Aug 2000 23:23:39 -0400 From: "Vladimir N. Silyaev" <vsilyaev@mindspring.com> To: emulation@FreeBSD.ORG Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: vmware changes result in nasty bridging mess Message-ID: <20000806232339.A3251@jupiter.delta.ny.us> In-Reply-To: <Pine.NEB.3.96L.1000806190759.90634A-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Sun, Aug 06, 2000 at 07:14:59PM -0400 References: <200008032335.TAA01440@jupiter.delta.ny.us> <Pine.NEB.3.96L.1000806190759.90634A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Ok, guys.
See in the attachment fix, you should apply it to prevent current behavior.
On Sun, Aug 06, 2000 at 07:14:59PM -0400, Robert Watson wrote:
> On Thu, 3 Aug 2000, Vladimir N. Silyaev wrote:
>
> > >Bridging on by default may
> > >have nasty side effects for multi-interface machines (especially security
> > >side effects).
> > It's several ways to work around about that:
> > - compile kernel without bridging support.
> > - remove bridge starting code vmware.sh file in rc.d directory.
> > - create special bridge cluster with one real interface and with one emulated
>
> Actually, I was hoping that the vmware port wouldn't interfere with
> existing configurations on the box :-). I compile in the BRIDGE code so
> that I can test/develop with it, not so that ethernet support on the
> notebook can be broken after I install the vmware port, or so that a port
> can arbitrarily turn on bridging of all attached ethernet devices.
>
> > >I haven't read the code (I admit) but I finding the
> > >current behavior both (a) irritating (messages) and (b) worrying
> > >(unpredicted bridging with potential side effects).
> > I don't know I never seen such effect. Could you to do more testing
> > about that.
>
> The behavior with the wi0 ethernet driver seems to be continuous printing
> of the output included in my previous message.
>
> With the ep0 driver, the results are actually much worse -- I'm unable to
> use networking at all while the bridging sysctl is enabled (the default).
> While the sysctl is enabled, dhclient fails for that interface, and any
> attempt to manually configure and use it results in a route not found.
> When I disable the sysctl, networking begins to work on the box.
>
> The following default-installed startup script is really, really scary:
>
> sysctl net.link.ether.bridge_refresh && bridge="_bridge"
> kldload if_tap.ko
> echo -n >/compat/linux/dev/vmnet1
> ifconfig vmnet1 $host_ip netmask $netmask
> if [ _$bridge != _ ]; then
> sysctl -w net.link.ether.bridge_refresh=1
> sysctl -w net.link.ether.bridge=1
> fi
>
> Un-announced, the vmware port enabled bridging between the ethernet
> interfaces on my notebook, generated voluminous output for wi0, and broke
> networking for ep0. This is a security risk, in that it automatically
> enables bridging between previously un-connected LAN segments that may
> have different security properties. This is against POLA in that it
> breaks functionality (networking), bridges packets unto unexpected
> segments (potentially breaking many other things, especially DHCP), etc.
> Previously, use of networking support would create a virtual network
> between the host and the guest OS, but not affect other networking
> functionality.
--
Vladimir
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vmware.diff"
Index: files/vmware.sh
===================================================================
RCS file: /home/vns/cvs/vmware/vmware/vmmon-only/freebsd/port/files/vmware.sh,v
retrieving revision 1.5
diff -u -r1.5 vmware.sh
--- files/vmware.sh 2000/07/31 00:54:37 1.5
+++ files/vmware.sh 2000/08/07 03:16:16
@@ -8,6 +8,7 @@
networking=@@NETWORKING@@
host_ip=@@HOST_IP@@
netmask=@@NETMASK@@
+start_bridge=0
[ -x $vmware_dir/bin/vmware ] || exit
@@ -19,17 +20,32 @@
exec >/dev/null
+ if [ $networking -eq 1 ]; then
+ if sysctl net.link.ether.bridge_refresh; then
+ if sysctl net.link.ether.bridge|grep 1; then
+ bridge="_bridge_on"
+ start_bridge=0
+ else
+ if [ $start_bridge -eq 1 ]; then
+ bridge="_bridge"
+ else
+ bridge="_bridge_off"
+ fi
+ fi
+ fi
+ fi
+
case $1 in
start)
kldload ${vmware_dir}/lib/modules/vmmon_${suffix}.ko
if [ $networking -eq 1 ]; then
- sysctl net.link.ether.bridge_refresh && bridge="_bridge"
kldload if_tap.ko
echo -n >@@LINUX_DIR@@/dev/vmnet1
ifconfig vmnet1 $host_ip netmask $netmask
+ sysctl net.link.ether.bridge
if [ _$bridge != _ ]; then
sysctl -w net.link.ether.bridge_refresh=1
- sysctl -w net.link.ether.bridge=1
+ [ $start_bridge -eq 1 ] && sysctl -w net.link.ether.bridge=1
fi
fi
echo -n " VMware${bridge}" >&2
@@ -40,7 +56,6 @@
if [ $networking -eq 1 ]; then
ifconfig vmnet1 down
ifconfig vmnet1 delete $host_ip
- sysctl net.link.ether.bridge_refresh && bridge="_bridge"
[ _$bridge != _ ] && sysctl -w net.link.ether.bridge_refresh=1
fi
;;
--azLHFNyN32YCQGCU--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000806232339.A3251>