Re: Help with bridge and new IP requirements

Andrea Venturoli:
> Simplifying a bit, I have:
> > cloned_interfaces="bridge0 lagg0 tap0 vlan1"
> > ifconfig_em0="up"
> > ifconfig_em1="up"
> > ifconfig_lagg0="up laggproto lacp laggport em0 laggport em1"
> > ifconfig_vlan1="inet 192.168.1.15 netmask 255.255.255.0 vlan 1 vlandev lagg0"
> > ifconfig_bridge0="up addm vlan1"
> 
> If I understand correctly, I need to change this to:
> > cloned_interfaces="bridge0 lagg0 tap0 vlan1"
> > ifconfig_em0="up"
> > ifconfig_em1="up"
> > ifconfig_lagg0="up laggproto lacp laggport em0 laggport em1"
> > ifconfig_vlan1="up vlan 1 vlandev lagg0"
> > ifconfig_bridge0="inet 192.168.1.15 netmask 255.255.255.0 addm vlan1"
> Is this correct?

this seems correct to me.

> AFAICT this works, except for ipfw.
> 
> I have:
> > # sysctl -a|grep -E "bridge.*(pfil|ipfw)"
> > net.link.bridge.ipfw: 0
> > net.link.bridge.pfil_local_phys: 1
> > net.link.bridge.pfil_member: 1
> > net.link.bridge.ipfw_arp: 0
> > net.link.bridge.pfil_bridge: 0
> > net.link.bridge.pfil_onlyip: 1
> 
> So I'd excpect I would need to use rules on the member interfaces (e.g.
> vlan1), as I've always done.
> Yet I see packets are being blocked on bridge0. E.g.:
> > kernel: ipfw: 1997 Deny ICMP:8.0 192.168.1.18 192.168.1.15 in via bridge0

what exactly are you trying to achieve here?

with the new configuration, from pfil's perspective, packets for VLAN 1
should be seen as arriving on the "bridge0" interface.  so, if you want
to filter what the host can send and receive on this VLAN, simply use
the "bridge0" interface in your filters.

then, you should set net.link.bridge.pfil_local_phys=0 because you are
only filtering layer 3 traffic.

if you are trying to do layer 2 filtering (i.e., you want to filter what
bridge ports can send to each other) then this is more complicated and,
to be honest, i don't use L2 filtering so i'm not an expert on how this
should work, but if you can describe the desired outcome, someone might
be able to suggest something.