From nobody Sun Apr 23 22:00:05 2023
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4MdC00l3z46Xn2
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sun, 23 Apr 2023 22:00:15 +0000 (UTC)
	(envelope-from rb@gid.co.uk)
Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250])
	by mx1.freebsd.org (Postfix) with ESMTP id 4Q4Md96WLDz4Kq7
	for <freebsd-hackers@freebsd.org>; Sun, 23 Apr 2023 22:00:13 +0000 (UTC)
	(envelope-from rb@gid.co.uk)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of rb@gid.co.uk designates 194.32.164.250 as permitted sender) smtp.mailfrom=rb@gid.co.uk;
	dmarc=none
Received: from smtpclient.apple (moriarty.gid.co.uk [194.32.164.17])
	by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id 33NM05Gp058326
	for <freebsd-hackers@freebsd.org>; Sun, 23 Apr 2023 23:00:05 +0100 (BST)
	(envelope-from rb@gid.co.uk)
From: Bob Bishop <rb@gid.co.uk>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\))
Subject: Host address zero vs bridge, carp and nat
Message-Id: <BFC2AEDB-4245-4B01-BBC0-9582D5CAC63E@gid.co.uk>
Date: Sun, 23 Apr 2023 23:00:05 +0100
To: FreeBSD Hackers <freebsd-hackers@freebsd.org>
X-Mailer: Apple Mail (2.3696.120.41.1.3)
X-Spamd-Result: default: False [1.17 / 15.00];
	NEURAL_SPAM_MEDIUM(0.78)[0.783];
	NEURAL_SPAM_SHORT(0.54)[0.542];
	MV_CASE(0.50)[];
	NEURAL_HAM_LONG(-0.45)[-0.452];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:42831, ipnet:194.32.164.0/24, country:GB];
	R_DKIM_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	ARC_NA(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_DN_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	DMARC_NA(0.00)[gid.co.uk];
	MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Queue-Id: 4Q4Md96WLDz4Kq7
X-Spamd-Bar: +
X-ThisMailContainsUnwantedMimeParts: N

Hi,

We=E2=80=99re commissioning a new router build here based on 13.2-RC5 =
(bad timing) and it seems that something is amiss when using host =
address zero with this combination. More precisely, this setup:

igb1: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> =
metric 0 mtu 1500
        =
options=3D4e523bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWC=
SUM,TSO4,TSO6,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,N=
OMAP>
        ether 00:0d:b9:5f:0f:31
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> =
metric 0 mtu 1500
        =
options=3D4e523bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWC=
SUM,TSO4,TSO6,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,N=
OMAP>
        ether 00:0d:b9:5f:0f:32
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

bridge0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> =
metric 0 mtu 1500
        ether 00:0d:b9:5f:0f:31
        inet x.y.z.0 netmask 0xffffffe0 broadcast x.y.z.31
        inet x.y.z.10 netmask 0xffffffe0 broadcast x.y.z.31 vhid 11
        inet x.y.z.11 netmask 0xffffffe0 broadcast x.y.z.31 vhid 11
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: igb2 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000
        member: igb1 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000000
        groups: bridge
        carp: MASTER vhid 11 advbase 1 advskew 100
        nd6 options=3D9<PERFORMNUD,IFDISABLED>


doesn=E2=80=99t pass traffic through the bridge. The NAT is in-kernel =
via ipfw and there are firewall rules in play but they do not seem to be =
a factor.

Change the primary address on the bridge to eg x.y.z.13 and everything =
works. carp failover seem to work OK with the zero host in spite of not =
passing traffic.

We only found this because in live we=E2=80=99ll have a /29 and we are =
going to run out of addresses if we can=E2=80=99t use zero. The bridge =
is required to avoid using a switch upstream where we have two routers =
on redundant fibres using VRRP.

We will solve this by getting a bigger allocation upstream unless anyone =
has any bright ideas, in default of which I=E2=80=99ll raise a bug =
report.

--
Bob Bishop
rb@gid.co.uk