From owner-freebsd-emulation Mon Aug 7 5: 1:12 2000 Delivered-To: freebsd-emulation@freebsd.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by hub.freebsd.org (Postfix) with ESMTP id 9C39A37BD90; Mon, 7 Aug 2000 05:01:04 -0700 (PDT) (envelope-from vsilyaev@mindspring.com) Received: from jupiter.delta.ny.us (nyf-ny7-10.ix.netcom.com [198.211.17.138]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id IAA17708; Mon, 7 Aug 2000 08:01:01 -0400 (EDT) Received: (from vsilyaev@localhost) by jupiter.delta.ny.us (8.9.3/8.9.3) id IAA00335; Mon, 7 Aug 2000 08:00:59 -0400 (EDT) (envelope-from vsilyaev) Date: Sun, 6 Aug 2000 23:23:39 -0400 From: "Vladimir N. Silyaev" To: emulation@FreeBSD.ORG Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: vmware changes result in nasty bridging mess Message-ID: <20000806232339.A3251@jupiter.delta.ny.us> References: <200008032335.TAA01440@jupiter.delta.ny.us> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="azLHFNyN32YCQGCU" X-Mailer: Mutt 1.0i X-Mailer: Mutt 1.0i In-Reply-To: ; from rwatson@FreeBSD.ORG on Sun, Aug 06, 2000 at 07:14:59PM -0400 Sender: owner-freebsd-emulation@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Ok, guys. See in the attachment fix, you should apply it to prevent current behavior. On Sun, Aug 06, 2000 at 07:14:59PM -0400, Robert Watson wrote: > On Thu, 3 Aug 2000, Vladimir N. Silyaev wrote: > > > >Bridging on by default may > > >have nasty side effects for multi-interface machines (especially security > > >side effects). > > It's several ways to work around about that: > > - compile kernel without bridging support. > > - remove bridge starting code vmware.sh file in rc.d directory. > > - create special bridge cluster with one real interface and with one emulated > > Actually, I was hoping that the vmware port wouldn't interfere with > existing configurations on the box :-). I compile in the BRIDGE code so > that I can test/develop with it, not so that ethernet support on the > notebook can be broken after I install the vmware port, or so that a port > can arbitrarily turn on bridging of all attached ethernet devices. > > > >I haven't read the code (I admit) but I finding the > > >current behavior both (a) irritating (messages) and (b) worrying > > >(unpredicted bridging with potential side effects). > > I don't know I never seen such effect. Could you to do more testing > > about that. > > The behavior with the wi0 ethernet driver seems to be continuous printing > of the output included in my previous message. > > With the ep0 driver, the results are actually much worse -- I'm unable to > use networking at all while the bridging sysctl is enabled (the default). > While the sysctl is enabled, dhclient fails for that interface, and any > attempt to manually configure and use it results in a route not found. > When I disable the sysctl, networking begins to work on the box. > > The following default-installed startup script is really, really scary: > > sysctl net.link.ether.bridge_refresh && bridge="_bridge" > kldload if_tap.ko > echo -n >/compat/linux/dev/vmnet1 > ifconfig vmnet1 $host_ip netmask $netmask > if [ _$bridge != _ ]; then > sysctl -w net.link.ether.bridge_refresh=1 > sysctl -w net.link.ether.bridge=1 > fi > > Un-announced, the vmware port enabled bridging between the ethernet > interfaces on my notebook, generated voluminous output for wi0, and broke > networking for ep0. This is a security risk, in that it automatically > enables bridging between previously un-connected LAN segments that may > have different security properties. This is against POLA in that it > breaks functionality (networking), bridges packets unto unexpected > segments (potentially breaking many other things, especially DHCP), etc. > Previously, use of networking support would create a virtual network > between the host and the guest OS, but not affect other networking > functionality. -- Vladimir --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vmware.diff" Index: files/vmware.sh =================================================================== RCS file: /home/vns/cvs/vmware/vmware/vmmon-only/freebsd/port/files/vmware.sh,v retrieving revision 1.5 diff -u -r1.5 vmware.sh --- files/vmware.sh 2000/07/31 00:54:37 1.5 +++ files/vmware.sh 2000/08/07 03:16:16 @@ -8,6 +8,7 @@ networking=@@NETWORKING@@ host_ip=@@HOST_IP@@ netmask=@@NETMASK@@ +start_bridge=0 [ -x $vmware_dir/bin/vmware ] || exit @@ -19,17 +20,32 @@ exec >/dev/null + if [ $networking -eq 1 ]; then + if sysctl net.link.ether.bridge_refresh; then + if sysctl net.link.ether.bridge|grep 1; then + bridge="_bridge_on" + start_bridge=0 + else + if [ $start_bridge -eq 1 ]; then + bridge="_bridge" + else + bridge="_bridge_off" + fi + fi + fi + fi + case $1 in start) kldload ${vmware_dir}/lib/modules/vmmon_${suffix}.ko if [ $networking -eq 1 ]; then - sysctl net.link.ether.bridge_refresh && bridge="_bridge" kldload if_tap.ko echo -n >@@LINUX_DIR@@/dev/vmnet1 ifconfig vmnet1 $host_ip netmask $netmask + sysctl net.link.ether.bridge if [ _$bridge != _ ]; then sysctl -w net.link.ether.bridge_refresh=1 - sysctl -w net.link.ether.bridge=1 + [ $start_bridge -eq 1 ] && sysctl -w net.link.ether.bridge=1 fi fi echo -n " VMware${bridge}" >&2 @@ -40,7 +56,6 @@ if [ $networking -eq 1 ]; then ifconfig vmnet1 down ifconfig vmnet1 delete $host_ip - sysctl net.link.ether.bridge_refresh && bridge="_bridge" [ _$bridge != _ ] && sysctl -w net.link.ether.bridge_refresh=1 fi ;; --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-emulation" in the body of the message