From owner-freebsd-net@freebsd.org Wed Jun 15 13:13:57 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA501A311A8 for ; Wed, 15 Jun 2016 13:13:57 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mail.karthauser.co.uk (babel.karthauser.co.uk [212.13.197.151]) by mx1.freebsd.org (Postfix) with ESMTP id 9043118D4 for ; Wed, 15 Jun 2016 13:13:56 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from dspam (babel.karthauser.co.uk [212.13.197.151]) by mail.karthauser.co.uk (Postfix) with SMTP id C84D3C4D for ; Wed, 15 Jun 2016 13:04:43 +0000 (UTC) Received: from phoenix.domain_not_set.invalid (unknown [31.210.26.211]) (Authenticated sender: joemail@tao.org.uk) by mail.karthauser.co.uk (Postfix) with ESMTPSA id 7CA56C49; Wed, 15 Jun 2016 13:04:28 +0000 (UTC) From: Dr Josef Karthauser Date: Wed, 15 Jun 2016 14:04:27 +0100 Subject: IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address. To: freebsd-net@freebsd.org Message-Id: Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-DSPAM-Result: Innocent X-DSPAM-Processed: Wed Jun 15 13:04:43 2016 X-DSPAM-Confidence: 0.9899 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 5761526b28816613420626 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 13:13:57 -0000 I=E2=80=99m bridging traffic on a FreeBSD-10.3 machine, between a vlan = and a VIMAGE enabled Jail: vlan9: flags=3D8943 = metric 0 mtu 1500 ether 0c:c4:7a:7d:4f:1e nd6 options=3D29 media: Ethernet autoselect (1000baseT ) status: active vlan: 9 parent interface: igb0 bridge9: flags=3D8943 = metric 0 mtu 1500 ether 02:02:28:ac:d2:09 nd6 options=3D9 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vnet0:6 flags=3D143 ifmaxaddr 0 port 12 priority 128 path cost 2000 member: vlan9 flags=3D143 ifmaxaddr 0 port 9 priority 128 path cost 20000 vnet0:6: flags=3D8943 = metric 0 mtu 1500 description: associated with jail: = aec07207-31b9-11e6-8bed-0cc47a7d4f1e options=3D8 ether 02:ff:60:ae:c0:72 inet6 fe80::ff:60ff:feae:c072%vnet0:6 prefixlen 64 scopeid 0xc=20= nd6 options=3D21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active All is good in the world, until I also add an IP address to vlan9. When = that happens IPFW appears to gobble up packages originating from = vnet0:6. They appear on bridge9, but aren=E2=80=99t forwarded in an = egress direction down vlan9. I don=E2=80=99t have any sysctls relating to bridge filtering enabled: net.link.ether.ipfw: 0 net.link.bridge.ipfw: 0 net.link.bridge.ipfw_arp: 0 But, with an IP address assigned to vlan9, packets are getting filtered: # ifconfig vlan9 inet 192.168.9.250/24 # tcpdump -i bridge9 13:58:02.498307 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:02.498442 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 13:58:10.497760 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:10.497892 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 # tcpdump -i vlan9 13:58:02.498273 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:10.497725 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 # ifconfig vlan9 inet delete # tcpdump -i bridge9 14:00:58.486653 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 14:00:58.486795 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 # tcpdump -i vlan9 14:00:58.486634 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 14:00:58.486792 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 I don=E2=80=99t have IP forwarding switched on and so I=E2=80=99d expect = bridged packets to carry on being bridged irrespective of whether vlan9 = has an IP address or not. What=E2=80=99s strange is that ingress packets to the bridge are being = forwarded ok, but egress packets out onto the vlan are being filtered. Is there something obvious that I=E2=80=99ve missed? Cheers, Joe =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com / theTRUESPEED =20 @theTRUESPEED =20 This email contains TrueSpeed information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above. If you're not the intended recipient, note that disclosing, = copying, distributing or using this information is prohibited. If you've = received this email in error, please let me know immediately on the = email address above. Thank you. We monitor our email system, and may record your emails.