From owner-freebsd-current@FreeBSD.ORG Sat Sep 6 02:27:17 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14DF81065673 for ; Sat, 6 Sep 2008 02:27:17 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail4.sea5.speakeasy.net (mail4.sea5.speakeasy.net [69.17.117.6]) by mx1.freebsd.org (Postfix) with ESMTP id E070F8FC08 for ; Sat, 6 Sep 2008 02:27:16 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: (qmail 5783 invoked from network); 6 Sep 2008 02:00:35 -0000 Received: from marconi.jellydonut.org (HELO localhost) ([216.27.165.148]) (envelope-sender ) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 6 Sep 2008 02:00:34 -0000 Received: from plato.localnet (192.168.0.11) by marconi.localnet Message-ID: <48C1E43C.1010902@jellydonut.org> Date: Fri, 05 Sep 2008 22:00:28 -0400 From: Michael Proto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080708 Lightning/0.8 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: FreeBSD Current Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: sysctls and if_bridge X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2008 02:27:17 -0000 Ran into a strange problem the other day, hoping someone can shed some light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a strange thing with my if_bridge interface. It appears as though the sysctls for determining where to enable/disable filtering don't seem to be working. My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged to a second vr1 interface for my 3 other static IPs. /etc/rc.conf: ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0" ifconfig_vr1="up" cloned_interfaces="bridge0" ifconfig_bridge0="addm vr2 addm vr1 up" /etc/sysctl.conf: net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=0 Based on what I've read from the man pages (and how it worked before), this should enable filtering on the vr2 and vr1 interfaces, and not the bridge0 interface. After updating to 8-CURRENT 9/02 it appears that these sysctl settings no longer matter, and filtering is enabled on both the bridge and member interfaces. I ultimately had to tweak my /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to reference bridge0 instead. Outbound rules still use vr2, and I've flipped both sysctl settings with no change in behavior. Traffic flows now, but it appears these sysctls are not working as they should, or I'm really missing something. Thanks, Michael Proto