IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address.

Dr Josef Karthauser joe at truespeed.com
Wed Jun 15 13:25:44 UTC 2016 

> On 15 Jun 2016, at 14:04, Dr Josef Karthauser <joe at truespeed.com> wrote:
> 
> I don’t have IP forwarding switched on and so I’d expect bridged packets to carry on being bridged irrespective of whether vlan9 has an IP address or not.
> 
> What’s strange is that ingress packets to the bridge are being forwarded ok, but egress packets out onto the vlan are being filtered.
> 
> Is there something obvious that I’ve missed?
> 
> Cheers,
> Joe

Ok, I’ve narrowed the problem down. It’s related to the anti spoofing ruleset.

I’ve also got this in my ruleset:

deny log ip from any to any not antispoof in

What’s strange is that when vlan9 has an ip address this rule starts triggering for interfaces that it didn’t before:

Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 255.255.255.255:68 in via vnet0:13
Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 255.255.255.255:68 in via bridge9
Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 255.255.255.255:68 in via vnet0:13

Without the IP address I don’t get any of these logged and no packets are filtered.

Why would anti-spoof filtering filter traffic on interfaces without IP addresses assigned when vlan9 is given an interface? I might expect that behaviour on the vlan, but but the other bridged interfaces.

Is this a “feature”?

Joe
— 
Dr Josef Karthauser
Chief Technical Officer
(01225) 300371 / (07703) 596893
www.truespeed.com <http://www.truespeed.com/>
  / theTRUESPEED <http://www.facebook.com/theTRUESPEED>  
  @theTRUESPEED <https://twitter.com/thetruespeed>
 
This email contains TrueSpeed information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you.
We monitor our email system, and may record your emails.

More information about the freebsd-net mailing list