Re: git: b61850c4e6f6 - main - bridge(4): default net.link.bridge.member_ifaddrs to false

In reply to: Shawn Webb : "Re: git: b61850c4e6f6 - main - bridge(4): default net.link.bridge.member_ifaddrs to false"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 19 May 2025 08:34:56 UTC

On 18 May 2025, at 22:39, Shawn Webb wrote:
> I wonder if there is any security difference between DHCP on the
> physical interface versus the bridge. Having the bridge grab an IP via
> DHCP (or IPv6 SLAAC/DHCPv6) means that VMs much be trusted. If a VM is
> compromised, a threat actor could redirect traffic on the host by
> running their own DHCP service in the compromised VM.
>
> The question I have, though, is: is this an issue when the physical
> interface is used instead of the bridge for grabbing a dynamic IP?
>
> So, I guess I'm asking, is there any security difference between the
> following two configs:
>
> ==== BEGIN CONFIG 1 ====
> ifconfig_re0="DHCP"
> cloned_interfaces="bridge0 tap0"
> ifconfig_bridge0="addm re0 addm tap0"
> ==== END CONFIG 1 ====
>
> ==== BEGIN CONFIG 2 ====
> ifconfig_re0="up"
> cloned_interfaces="bridge0 tap0"
> ifconfig_bridge0="DHCP addm re0 addm tap0"
> synchronous_dhclient="YES"
> ==== END CONFIG 2 ====
>
I’ve not actually tested it, but given that ether_output() (which is going to be the ifp->if_output for most interfaces) does this: https://cgit.freebsd.org/src/tree/sys/net/if_ethersubr.c#n417
(i.e. it outputs via if_bridge’s code rather than directly) I believe this doesn’t make any difference at all.

—
Kristof