IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address.

Dr Josef Karthauser joe at truespeed.com
Wed Jun 15 13:13:57 UTC 2016 

I’m bridging traffic on a FreeBSD-10.3 machine, between a vlan and a VIMAGE enabled Jail:


vlan9: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 0c:c4:7a:7d:4f:1e
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 9 parent interface: igb0
bridge9: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 02:02:28:ac:d2:09
	nd6 options=9<PERFORMNUD,IFDISABLED>
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vnet0:6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 12 priority 128 path cost 2000
	member: vlan9 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 9 priority 128 path cost 20000
vnet0:6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: associated with jail: aec07207-31b9-11e6-8bed-0cc47a7d4f1e
	options=8<VLAN_MTU>
	ether 02:ff:60:ae:c0:72
	inet6 fe80::ff:60ff:feae:c072%vnet0:6 prefixlen 64 scopeid 0xc 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active

All is good in the world, until I also add an IP address to vlan9. When that happens IPFW appears to gobble up packages originating from vnet0:6.  They appear on bridge9, but aren’t forwarded in an egress direction down vlan9.

I don’t have any sysctls relating to bridge filtering enabled:

net.link.ether.ipfw: 0
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0

But, with an IP address assigned to vlan9, packets are getting filtered:

# ifconfig vlan9 inet 192.168.9.250/24

# tcpdump -i bridge9
13:58:02.498307 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:02.498442 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300
13:58:10.497760 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:10.497892 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300

# tcpdump -i vlan9
13:58:02.498273 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:10.497725 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320

# ifconfig vlan9 inet delete

# tcpdump -i bridge9
14:00:58.486653 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320
14:00:58.486795 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300

# tcpdump -i vlan9
14:00:58.486634 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:14:f2:76:46:e6 (oui Unknown), length 320
14:00:58.486792 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300

I don’t have IP forwarding switched on and so I’d expect bridged packets to carry on being bridged irrespective of whether vlan9 has an IP address or not.

What’s strange is that ingress packets to the bridge are being forwarded ok, but egress packets out onto the vlan are being filtered.

Is there something obvious that I’ve missed?

Cheers,
Joe

— 
Dr Josef Karthauser
Chief Technical Officer
(01225) 300371 / (07703) 596893
www.truespeed.com <http://www.truespeed.com/>
  / theTRUESPEED <http://www.facebook.com/theTRUESPEED> 
  @theTRUESPEED <https://twitter.com/thetruespeed>
 
This email contains TrueSpeed information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you.
We monitor our email system, and may record your emails.

More information about the freebsd-net mailing list