From owner-freebsd-current@FreeBSD.ORG Wed Sep 24 14:36:38 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED0551065672 for ; Wed, 24 Sep 2008 14:36:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 95D168FC1E for ; Wed, 24 Sep 2008 14:36:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=Naig3dNfLisCvTEeVHMCc2fFaO1na7YFgb5XR36jMKwXVT1WP2M1v5pTPKOM2Abp+jSjYf0uL3Vsv20lq0iTj9k/Uu1C5z12jl5eFZIolpH73zdgha8DCeCMujexLDjYKxbQjDdReQmzfjKGukdeaBFhAoNzMNrJSJfUw5g04DI=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1KiVTo-0002oc-87; Wed, 24 Sep 2008 18:36:36 +0400 Date: Wed, 24 Sep 2008 18:36:35 +0400 From: Eygene Ryabinkin To: Michael Proto Message-ID: References: <48C1E43C.1010902@jellydonut.org> <1de79840809240710q5222645ar4549d96a457d7614@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Az4VpBrmI9+OyhK/" Content-Disposition: inline In-Reply-To: <1de79840809240710q5222645ar4549d96a457d7614@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: FreeBSD Current Subject: Re: sysctls and if_bridge X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2008 14:36:39 -0000 --Az4VpBrmI9+OyhK/ Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael, good day. Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote: > > Ran into a strange problem the other day, hoping someone can shed some > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a strange > > thing with my if_bridge interface. It appears as though the sysctls for > > determining where to enable/disable filtering don't seem to be working. > > > > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged > > to a second vr1 interface for my 3 other static IPs. > > > > /etc/rc.conf: > > ifconfig_vr2=3D"inet 1.2.3.4 netmask 255.255.255.0" > > ifconfig_vr1=3D"up" > > cloned_interfaces=3D"bridge0" > > ifconfig_bridge0=3D"addm vr2 addm vr1 up" > > > > /etc/sysctl.conf: > > net.link.bridge.pfil_member=3D1 > > net.link.bridge.pfil_bridge=3D0 > > > > Based on what I've read from the man pages (and how it worked before), > > this should enable filtering on the vr2 and vr1 interfaces, and not the > > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that > > these sysctl settings no longer matter, and filtering is enabled on both > > the bridge and member interfaces. I ultimately had to tweak my > > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to > > reference bridge0 instead. Outbound rules still use vr2, and I've > > flipped both sysctl settings with no change in behavior. Traffic flows > > now, but it appears these sysctls are not working as they should, or I'm > > really missing something. Could you please post your ifconfig output? --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --Az4VpBrmI9+OyhK/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjaUHMACgkQthUKNsbL7Yg/6QCdECHE+NUl1qYO5eGkdyeBA0j2 I+4AoJ3/cpbEt3Afl8XED5AkE9o8w0+3 =UJmE -----END PGP SIGNATURE----- --Az4VpBrmI9+OyhK/--