Date: Wed, 15 Jun 2016 14:04:27 +0100 From: Dr Josef Karthauser <joe@truespeed.com> To: freebsd-net@freebsd.org Subject: IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address. Message-ID: <A30D4419-5796-4109-AB97-0F3B4BDB8D16@truespeed.com>
next in thread | raw e-mail | index | archive | help
I=E2=80=99m bridging traffic on a FreeBSD-10.3 machine, between a vlan = and a VIMAGE enabled Jail: vlan9: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = metric 0 mtu 1500 ether 0c:c4:7a:7d:4f:1e nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 9 parent interface: igb0 bridge9: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = metric 0 mtu 1500 ether 02:02:28:ac:d2:09 nd6 options=3D9<PERFORMNUD,IFDISABLED> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vnet0:6 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 12 priority 128 path cost 2000 member: vlan9 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 9 priority 128 path cost 20000 vnet0:6: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = metric 0 mtu 1500 description: associated with jail: = aec07207-31b9-11e6-8bed-0cc47a7d4f1e options=3D8<VLAN_MTU> ether 02:ff:60:ae:c0:72 inet6 fe80::ff:60ff:feae:c072%vnet0:6 prefixlen 64 scopeid 0xc=20= nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active All is good in the world, until I also add an IP address to vlan9. When = that happens IPFW appears to gobble up packages originating from = vnet0:6. They appear on bridge9, but aren=E2=80=99t forwarded in an = egress direction down vlan9. I don=E2=80=99t have any sysctls relating to bridge filtering enabled: net.link.ether.ipfw: 0 net.link.bridge.ipfw: 0 net.link.bridge.ipfw_arp: 0 But, with an IP address assigned to vlan9, packets are getting filtered: # ifconfig vlan9 inet 192.168.9.250/24 # tcpdump -i bridge9 13:58:02.498307 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:02.498442 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 13:58:10.497760 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:10.497892 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 # tcpdump -i vlan9 13:58:02.498273 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 13:58:10.497725 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 # ifconfig vlan9 inet delete # tcpdump -i bridge9 14:00:58.486653 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 14:00:58.486795 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 # tcpdump -i vlan9 14:00:58.486634 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, = Request from 00:14:f2:76:46:e6 (oui Unknown), length 320 14:00:58.486792 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: = BOOTP/DHCP, Reply, length 300 I don=E2=80=99t have IP forwarding switched on and so I=E2=80=99d expect = bridged packets to carry on being bridged irrespective of whether vlan9 = has an IP address or not. What=E2=80=99s strange is that ingress packets to the bridge are being = forwarded ok, but egress packets out onto the vlan are being filtered. Is there something obvious that I=E2=80=99ve missed? Cheers, Joe =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com <http://www.truespeed.com/> / theTRUESPEED <http://www.facebook.com/theTRUESPEED>=20 @theTRUESPEED <https://twitter.com/thetruespeed> =20 This email contains TrueSpeed information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above. If you're not the intended recipient, note that disclosing, = copying, distributing or using this information is prohibited. If you've = received this email in error, please let me know immediately on the = email address above. Thank you. We monitor our email system, and may record your emails.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A30D4419-5796-4109-AB97-0F3B4BDB8D16>