From nobody Fri May 16 21:38:57 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZzgSh1cyLz5wNMj for ; Fri, 16 May 2025 21:39:00 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZzgSh0kzDz3MKt; Fri, 16 May 2025 21:39:00 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747431540; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DICrLgHh4T+ZisL+lFtWZwyiDQDLCycN9yGJO1S3iHo=; b=ipkwNdjgFwV44uTLgMzwN9eW0rZ/QQqPlDKpJ2H4UXnmvP4Phoh6p27V2WT+EhH/yunf5v 1mWkPvvrOuqdH3qXTVQ4LpMfGHqKhF0/Dm/gsY4WOa7LPg+LFWcQSDhXLY5WXq6Cti1250 U3bC+SjIEoS4SynXwUKlGP06VaSW0vSqDDVqRbIqpf1+UrDjZ6vJMGgQb1V/MDQPPDABHU +Anna1tjoboomygKOJkp9sxmiH6EI18Mxu1DFcqmin4+nz5duKdxA2fWAPUNFFl/l+U4FR UfZUxl/lanjSPEPxxQtDgYmdWZcu7kRqDjsObNWbCiVt2DkX/2VMzTQFIKo3tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747431540; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DICrLgHh4T+ZisL+lFtWZwyiDQDLCycN9yGJO1S3iHo=; b=CF3i/bh8+flu8+coOGGrIM5xLDfdadXXeVorXFKPhZy9hnB6uZ8DU7Dz6TnzB2Kq7ZpAmB 9zgliuJkrsQNJlpDgRY3fFOEUruYzvAMnNZmUxjo9m3rI+wbT4P+C+qQSgR68HtUjhQoPO w6fRH1dAcgTGC2zqy0AQMhB84LANmkBGOCEqyrVY+EpEgsA7GajNExXkOyjqr35dMe0cZB KAfsz+7X+uJ/gSyE4uTg8jd3jiisB3r1VgdN4/4o23vo2i7udt4SZk9OtIQTJpd4hj0q1r svTcIX9EU109OpytIKgsERjwOG6R3L7bET8F93ttuT9u2DYt7OQxRzSMSQzRXA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1747431540; a=rsa-sha256; cv=none; b=oCGruM7BbgLBmMWtJuHenwdo4/f72R3sXTA0Fu4GWtG1uiJ/D5fldKMZL3+/PEeqFYJIoK 5m8N2l2FjQq1CtX0jf4de74pWv2YiYwmBQlTnNvqiLNisj8KV1KaThWe3NgNkg2cILG9of hVuSxmjJPyTot4/oSfHHIXRdFWRwGEICbzcxeyT077X7zQYLp9tI0cayYPfmRayQkp+NqX o1X5CDBQS4jcRb3PzKyGdiYR0oGFu1jpYRgIQv6LYza4SVr7IqKSWHiEWuK1blfHTeu6Rm sJCYYq81SeOnFgCDm26+h/zqG8J3+543qEKfZNUwylOYmaOcgZI687O3NM9ZSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R11" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4ZzgSg5yxyz15bb; Fri, 16 May 2025 21:38:59 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 218C350605; Fri, 16 May 2025 23:38:58 +0200 (CEST) From: Kristof Provost To: Marek Zarychta Cc: Cy Schubert , ivy@freebsd.org, freebsd-current@freebsd.org Subject: Re: epair(4) Date: Fri, 16 May 2025 23:38:57 +0200 X-Mailer: MailMate (2.0r6255) Message-ID: <47624B57-16CA-4141-9761-A51F9E3F4078@FreeBSD.org> In-Reply-To: <6e33a247-4b2a-4f7c-8e1f-14a549db27cd@plan-b.pwste.edu.pl> References: <20250515162552.9209B20E@slippy.cwsent.com> <20250515185919.87008219@slippy.cwsent.com> <45d0f49d-229b-46b4-af95-6e8c4c856661@plan-b.pwste.edu.pl> <2D38F889-E8C9-49A9-AA80-D5A46FDFFD02@FreeBSD.org> <6e33a247-4b2a-4f7c-8e1f-14a549db27cd@plan-b.pwste.edu.pl> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_73F9D4EB-6CE4-4DA5-9204-D00622A2AAE2_=" Content-Transfer-Encoding: 8bit --=_MailMate_73F9D4EB-6CE4-4DA5-9204-D00622A2AAE2_= Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit On 16 May 2025, at 23:26, Marek Zarychta wrote: > W dniu 16.05.2025 o 22:38, Kristof Provost pisze: >> On 15 May 2025, at 21:32, Marek Zarychta wrote: >>> W dniu 15.05.2025 o 20:59, Cy Schubert pisze: >>>> In message <20250515162552.9209B20E@slippy.cwsent.com>, Cy Schubert >>>> writes: >>>>> Over the last couple of days epair(4) fails to set up when an IP >>>>> address is >>>>> specified. >>>>> >>>>> bob# service jail onestart test2 >>>>> Starting jails: cannot start jail "test2": >>>>> epair0a >>>>> ifconfig: ioctl (SIOCAIFADDR): Invalid argument >>>>> jail: test2: /sbin/ifconfig epair0a inet 10.1.1.70 netmask >>>>> 0xffffff00 up: >>>>> failed >>>>> . >>>>> bob# ifconfig epair0a inet 10.1.1.70 netmask 0xffffff00 >>>>> ifconfig: ioctl (SIOCAIFADDR): Invalid argument >>>>> bob# ifconfig epair0a inet up >>>>> bob# >>>>> >>>>> >>>>> >>>> This regression is caused by b61850c4e6f6. >>>> >>>> >>> Yes, it requires at least head up, similar to old one, known from >>> fibs : >>> >>> WARNING: Configuring address on bridge(4) member has been turned off >>> by default. Consider tuning  net.link.bridge.member_ifaddrs if >>> needed. >>> >> The error message should not suggest changing the sysctl. This is a >> configuration error and will lead to subtle and unexpected problems. >> >> The intent is for the sysctl to go away and for this to be entirely >> disallowed, without a way to bypass the check in 16.0. >> >> As Lexi pointed out in another e-mail: users should assign addresses >> to the bridge, never to bridge member interfaces. >> >> — >> Kristof >> > Thanks for the statement. Some may consider this a POLA violation. If > you insist on removing the sysctl, it will require additional work to > update all existing vm-bhyve and jail setups before upgrading to > 16.0-RELEASE, whenever it is released. > Only the misconfigured ones. There’s no reason to ever assign IP addresses to member interfaces. Again, `ifconfig bridge0 inet 192.0.2.1/24` is perfectly okay and will continue to work. `ifconfig bridge0 addm epair0a ; ifconfig epair0a inet 192.0.2.1/24` is not. The documentation has had this warning for a long time: “If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces.“ https://docs.freebsd.org/en/books/handbook/advanced-networking/index.html It should probably have been more prominent, but preventing foot-shooting is better than warning about the foot-shooting. — Kristof --=_MailMate_73F9D4EB-6CE4-4DA5-9204-D00622A2AAE2_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 16 May 2025, at 23:26, Marek Zarychta wrote:

W dniu 16.05.2025 o=C2=A022:38, Kristof Provost pisze:

On 15 May 2025, at 21:32, Marek Zarychta wrote:

W dniu 15.05.2025 o=C2=A020:59, Cy Schubert pisze:

In message 20250515162552.9209B20E@slippy.cwsent.com, Cy Schubert= writes:

Over the last couple of days epair(4) fails to set up whe= n an IP address is
specified.

bob# service jail onestart test2
Starting jails: cannot start jail "test2":
epair0a
ifconfig: ioctl (SIOCAIFADDR): Invalid argument
jail: test2: /sbin/ifconfig epair0a inet 10.1.1.70 netmask 0xffffff00 up:=
failed
=2E
bob# ifconfig epair0a inet 10.1.1.70 netmask 0xffffff00
ifconfig: ioctl (SIOCAIFADDR): Invalid argument
bob# ifconfig epair0a inet up
bob#

This regression is caused by b61850c4e6f6.

Yes, it requires at least head up, similar to old one, kn= own from fibs :

WARNING: Configuring address on bridge(4) member has been= turned off by default. Consider tuning=C2=A0 net.link.bridge.member_ifad= drs if needed.

The error message should not suggest changing the sysctl.= This is a configuration error and will lead to subtle and unexpected pro= blems.

The intent is for the sysctl to go away and for this to b= e entirely disallowed, without a way to bypass the check in 16.0.

As Lexi pointed out in another e-mail: users should assig= n addresses to the bridge, never to bridge member interfaces.

=E2=80=94
Kristof

Thanks for the statement. Some may consider this a POLA v= iolation. If you insist on removing the sysctl, it will require additiona= l work to update all existing vm-bhyve and jail setups before upgrading t= o 16.0-RELEASE, whenever it is released.

Only the misconfigured ones. There=E2=80=99s no reason to= ever assign IP addresses to member interfaces.
Again, ifco= nfig bridge0 inet 192.0.2.1/24 is perfectly okay and will continue= to work. i= fconfig bridge0 addm epair0a ; ifconfig epair0a inet 192.0.2.1/24 = is not.
The documentation has had this warning for a long time: =E2=80=9CIf the b= ridge host needs an IP address, set it on the bridge interface, not on th= e member interfaces.=E2=80=9C
https://docs.freebsd.org/en/books/handbook/advanced-networki= ng/index.html

It should probably have been more prominent, but preventi= ng foot-shooting is better than warning about the foot-shooting.

=E2=80=94
Kristof

--=_MailMate_73F9D4EB-6CE4-4DA5-9204-D00622A2AAE2_=--