Date: Tue, 20 May 2025 23:44:58 +0100 From: Lexi Winter <ivy@FreeBSD.org> To: Paul Vixie <paul@redbarn.org> Cc: freebsd-net@freebsd.org Subject: Re: HEADS UP: 15.0-CURRENT, =?utf-8?Q?chan?= =?utf-8?Q?ge_to_bridge=284=29_might_break_some_network_configurations_wit?= =?utf-8?B?aCDigJxJbnZhbGlkIGFyZ3VtZW504oCd?= Message-ID: <aC0F6lNpXkkvScQU@ragweed.eden.le-fay.org> In-Reply-To: <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org> References: <aCsJDjfCNk5pA59c@ragweed.eden.le-fay.org> <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Paul Vixie: > If we move all member ifaddrs to the bridge itself, then will arp > requests always have to be broadcast on all member interfaces? If so > this is intolerable from a security perspective, a complete > nonstarter. i believe Patrick Hausen already answered your original question, but to add to that: if you are intending to restrict bridge traffic based on member port and/or MAC address, you can do this by enabling one or more of the bridge pfil_* sysctls, and possibly also ipfw_arp which sounds like it might be relevant to your use-case. if you only want to force a specific MAC address to a specific member port, you can do this without pfil by defining static host entries via: % ifconfig bridge0 static <interface> <address> relying on the kernel to have a specific behaviour for ARP packets sent or received on a specific member interface (rather than the bridge itself) is not the right way to do this since if_bridge(4) has never guaranteed that this will work in any particular way. this *will* end up biting you one day even if you enable the member_ifaddrs sysctl for now. if your use-case is not covered by any of these sysctls, i would be interested to know more about it so we can support it in bridge. that said, speaking generally, i think that for this sort of complex, security-sensitive network topology, routed access is a better solution than layer 2 access. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaC0F6QAKCRD1nT63mIK/ YNL7AQCd4ae3lbD7OYeS11l3zbVVFd2m7z7zdyeYyJD19WwGaQEAyTdyWxhR36nW JLXoWnMQtrFfMCIKU2nAEiIa8zlMgwk= =YQzQ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aC0F6lNpXkkvScQU>