From nobody Tue May 20 22:44:58 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b28l55FzLz5w6vH for ; Tue, 20 May 2025 22:45:05 +0000 (UTC) (envelope-from ivy@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b28l54RSRz3cp2; Tue, 20 May 2025 22:45:05 +0000 (UTC) (envelope-from ivy@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747781105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FcvRx+UHpfK7wHB5YIKxmPPj0PJcvGP2npMsV30t5zo=; b=wn6i15JU6N5GZSuJNLSrwaQz7XEB+7jqPhiNkTBuwlNWd9l/MJQhDTJrxkbyt92gZwlO2G U0XXY3+qP6kabCmdISELK1PAJls8CqqmFNwlEBSRV+6PMcocoQXJ27U4AAbHLaQMeos91Q zKJVIWIOyp6v/0wgZro8GpWMWVhl9a4fAdZ/w2IpUpBTzXqMGptfwyddjXxgUFU8N3Ep00 YKH9WDVmEX5kJgmUyOhccGQeQR0tBn4E/kXguf8xzlE2Oa+hwbYUkf1LCUTUJY/84Nq8jA oyp+rtmIEAkX20WUh8GPpCupL3WHLoigaSEaZPOfuMCJ0RIHCFC0eBrm0fQYgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747781105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FcvRx+UHpfK7wHB5YIKxmPPj0PJcvGP2npMsV30t5zo=; b=wSb4kxZbZsLu+T2P2QxPQogzK0P6S8Obk6HAluTsQagVAJOFQ3Z+4WhpyWshltyUNazkBp x9Ze3bs2T9bs3tNKKH21b8cwyFwbBQmo25835sgs5m9ouIJrjgMseeYyNutpMaKwf5+CD4 iYaossbVp794JRAO8DDB634XKcCcHOg4ezdgb0PNlrx5qIMGLFN9tKuy03FoA9oPwodK93 xB4zh7TLnGDNtc8QdZ7MEUKuQW0omSpw0vbmric9ZcynzsezrdQbqJkUZLT2zu8/UHW09b S7Lrki0L7Pf+fLtQGIceR2nu3pRKynGbKsihWIJERlbj7LovV15WwGVsvltB/g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1747781105; a=rsa-sha256; cv=none; b=Z2mJoaNHp6ejyE2a5Ctir4XPTRoftohetf/AGkvJwUNQ847Tj1dyS1KQdd3ahXLzajwMpc U7t1aBRe/eMXrhjOd8JX3SQaE780ox4/BjD1tdwW1K7f4JwDuNPLNEL6v9k4LL2F+JPt32 fOmXjfTOOo4L0wSzUEacOE8U5Dn9wzrl016/ju8cR4Dn8MHaa/Jv7Ynud11ODjyJMnn/4g Opme1jxPvCo8AeibTCReagLtAIH6FoHOdyjOCl9/wSegI4iCekU3dNKabytvLLFlBNycxE Y3+YLqdPmxdqrZPRWBJdLC/t0v8+8UlKGzBqcO6ggmcBYe3OT5n5WaoXQxQxmg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from ragweed.eden.le-fay.org (ragweed.eden.le-fay.org [IPv6:2001:8b0:aab5:c401:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: ivy/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4b28l51WwFz1FXt; Tue, 20 May 2025 22:45:05 +0000 (UTC) (envelope-from ivy@FreeBSD.org) Date: Tue, 20 May 2025 23:44:58 +0100 From: Lexi Winter To: Paul Vixie Cc: freebsd-net@freebsd.org Subject: Re: HEADS UP: 15.0-CURRENT, =?utf-8?Q?chan?= =?utf-8?Q?ge_to_bridge=284=29_might_break_some_network_configurations_wit?= =?utf-8?B?aCDigJxJbnZhbGlkIGFyZ3VtZW504oCd?= Message-ID: Mail-Followup-To: Paul Vixie , freebsd-net@freebsd.org References: <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="F9iF5ESFwgror5Mt" Content-Disposition: inline In-Reply-To: <7a54f675-3c39-43a7-8e06-f63857c3bf91@redbarn.org> --F9iF5ESFwgror5Mt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Paul Vixie: > If we move all member ifaddrs to the bridge itself, then will arp > requests always have to be broadcast on all member interfaces? If so > this is intolerable from a security perspective, a complete > nonstarter. i believe Patrick Hausen already answered your original question, but to add to that: if you are intending to restrict bridge traffic based on member port and/or MAC address, you can do this by enabling one or more of the bridge pfil_* sysctls, and possibly also ipfw_arp which sounds like it might be relevant to your use-case. if you only want to force a specific MAC address to a specific member port, you can do this without pfil by defining static host entries via: % ifconfig bridge0 static
relying on the kernel to have a specific behaviour for ARP packets sent or received on a specific member interface (rather than the bridge itself) is not the right way to do this since if_bridge(4) has never guaranteed that this will work in any particular way. this *will* end up biting you one day even if you enable the member_ifaddrs sysctl for now. if your use-case is not covered by any of these sysctls, i would be interested to know more about it so we can support it in bridge. that said, speaking generally, i think that for this sort of complex, security-sensitive network topology, routed access is a better solution than layer 2 access. --F9iF5ESFwgror5Mt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaC0F6QAKCRD1nT63mIK/ YNL7AQCd4ae3lbD7OYeS11l3zbVVFd2m7z7zdyeYyJD19WwGaQEAyTdyWxhR36nW JLXoWnMQtrFfMCIKU2nAEiIa8zlMgwk= =YQzQ -----END PGP SIGNATURE----- --F9iF5ESFwgror5Mt--