From nobody Mon May 19 18:45:44 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b1RTR3H9Cz5wFl2 for ; Mon, 19 May 2025 18:45:47 +0000 (UTC) (envelope-from paul@redbarn.org) Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b1RTR1Jnzz3Kl3 for ; Mon, 19 May 2025 18:45:47 +0000 (UTC) (envelope-from paul@redbarn.org) Authentication-Results: mx1.freebsd.org; none Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id D7E5E160B98; Mon, 19 May 2025 18:45:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1747680344; bh=BgMtZLTxyabMBp6aNyvq1SNAzzA+BMU92YVHLofBUcY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=i4eqQsLTABp338HeDtrHIW3fzaqwTv+8Ti7huhfLQpuexBvfm2ObAr7lDbdNt7TGo adzjaE3oziZm09u19uYvEpF0euBO7UzQfGveGhuAAIUOOdtCdi2d7ERb/6TJ/a3qWq QLQoshWH+UdO6LjiMAwXQyv3BsKbuO1DodYY7GLY= Received: from localhost.localnet (dhcp-188.access.rits.tisf.net [24.104.150.188]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id AE1759; Mon, 19 May 2025 18:45:44 +0000 (UTC) From: Paul Vixie To: "Patrick M. Hausen" Cc: "freebsd-net@freebsd.org" Subject: Re: HEADS UP: 15.0-CURRENT, change to bridge(4) might break some network configurations with =?UTF-8?B?4oCcSW52YWxpZCBhcmd1bWVudOKAnQ==?= Date: Mon, 19 May 2025 18:45:44 +0000 Message-ID: <5888057.DvuYhMxLoT@localhost> Organization: FW In-Reply-To: References: <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: 4b1RTR1Jnzz3Kl3 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:33651, ipnet:24.104.150.0/24, country:US] X-Spamd-Bar: ---- On Monday, May 19, 2025 6:09:08 PM UTC Patrick M. Hausen wrote: > Hi all, > > > Am 19.05.2025 um 19:28 schrieb Paul Vixie : > > > > If we move all member ifaddrs to the bridge itself, then will arp requests > > always have to be broadcast on all member interfaces? If so this is > > intolerable from a security perspective, a complete nonstarter. > I am not quite sure I follow. > > A bridge by definition creates a single broadcast domain > so any frame with a layer 2 broadcast destination address > must necessarily be flooded to all member ports. thanks for reminding me that bridges don't have supernets. sorry for the noise. -- Paul Vixie