Date: Wed, 10 Sep 2025 19:56:04 +0100 From: Lexi Winter <ivy@freebsd.org> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-net@freebsd.org Subject: Re: Help with bridge and new IP requirements Message-ID: <aMHJxF__hASEVQfe@amaryllis.le-fay.org> In-Reply-To: <24b8c39e-b1a3-4cd3-accc-c86a03e21689@netfence.it> References: <24b8c39e-b1a3-4cd3-accc-c86a03e21689@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--ajGGzAllIQw5xqBa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Andrea Venturoli: > Simplifying a bit, I have: > > cloned_interfaces=3D"bridge0 lagg0 tap0 vlan1" > > ifconfig_em0=3D"up" > > ifconfig_em1=3D"up" > > ifconfig_lagg0=3D"up laggproto lacp laggport em0 laggport em1" > > ifconfig_vlan1=3D"inet 192.168.1.15 netmask 255.255.255.0 vlan 1 vlande= v lagg0" > > ifconfig_bridge0=3D"up addm vlan1" >=20 > If I understand correctly, I need to change this to: > > cloned_interfaces=3D"bridge0 lagg0 tap0 vlan1" > > ifconfig_em0=3D"up" > > ifconfig_em1=3D"up" > > ifconfig_lagg0=3D"up laggproto lacp laggport em0 laggport em1" > > ifconfig_vlan1=3D"up vlan 1 vlandev lagg0" > > ifconfig_bridge0=3D"inet 192.168.1.15 netmask 255.255.255.0 addm vlan1" > Is this correct? this seems correct to me. > AFAICT this works, except for ipfw. >=20 > I have: > > # sysctl -a|grep -E "bridge.*(pfil|ipfw)" > > net.link.bridge.ipfw: 0 > > net.link.bridge.pfil_local_phys: 1 > > net.link.bridge.pfil_member: 1 > > net.link.bridge.ipfw_arp: 0 > > net.link.bridge.pfil_bridge: 0 > > net.link.bridge.pfil_onlyip: 1 >=20 > So I'd excpect I would need to use rules on the member interfaces (e.g. > vlan1), as I've always done. > Yet I see packets are being blocked on bridge0. E.g.: > > kernel: ipfw: 1997 Deny ICMP:8.0 192.168.1.18 192.168.1.15 in via bridg= e0 what exactly are you trying to achieve here? with the new configuration, from pfil's perspective, packets for VLAN 1 should be seen as arriving on the "bridge0" interface. so, if you want to filter what the host can send and receive on this VLAN, simply use the "bridge0" interface in your filters. then, you should set net.link.bridge.pfil_local_phys=3D0 because you are only filtering layer 3 traffic. if you are trying to do layer 2 filtering (i.e., you want to filter what bridge ports can send to each other) then this is more complicated and, to be honest, i don't use L2 filtering so i'm not an expert on how this should work, but if you can describe the desired outcome, someone might be able to suggest something. --ajGGzAllIQw5xqBa Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaMHJwwAKCRD1nT63mIK/ YJL7AP9IEHQeiuJM2uqHX2nOF2ZHp5HvaB9jWoaBMb0YQKH4qwEApr2K3yi8Dit3 Sld76y6JXXqEtdK8BI4ErdaGgMR/Cw8= =qGmq -----END PGP SIGNATURE----- --ajGGzAllIQw5xqBa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aMHJxF__hASEVQfe>