IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address.

[Dr Josef Karthauser]

I’m bridging traffic on a FreeBSD-10.3 machine, between a vlan and a VIMAGE 
enabled Jail:


vlan9: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 
1500
        ether 0c:c4:7a:7d:4f:1e
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 9 parent interface: igb0
bridge9: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 
mtu 1500
        ether 02:02:28:ac:d2:09
        nd6 options=9<PERFORMNUD,IFDISABLED>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0:6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 12 priority 128 path cost 2000
        member: vlan9 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 20000
vnet0:6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 
mtu 1500
        description: associated with jail: aec07207-31b9-11e6-8bed-0cc47a7d4f1e
        options=8<VLAN_MTU>
        ether 02:ff:60:ae:c0:72
        inet6 fe80::ff:60ff:feae:c072%vnet0:6 prefixlen 64 scopeid 0xc 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active

All is good in the world, until I also add an IP address to vlan9. When that 
happens IPFW appears to gobble up packages originating from vnet0:6.  They 
appear on bridge9, but aren’t forwarded in an egress direction down vlan9.

I don’t have any sysctls relating to bridge filtering enabled:

net.link.ether.ipfw: 0
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0

But, with an IP address assigned to vlan9, packets are getting filtered:

# ifconfig vlan9 inet 192.168.9.250/24

# tcpdump -i bridge9
13:58:02.498307 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:02.498442 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length 300
13:58:10.497760 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:10.497892 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length 300

# tcpdump -i vlan9
13:58:02.498273 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320
13:58:10.497725 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320

# ifconfig vlan9 inet delete

# tcpdump -i bridge9
14:00:58.486653 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320
14:00:58.486795 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length 300

# tcpdump -i vlan9
14:00:58.486634 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request 
from 00:14:f2:76:46:e6 (oui Unknown), length 320
14:00:58.486792 IP 192.168.9.3.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, 
Reply, length 300

I don’t have IP forwarding switched on and so I’d expect bridged packets to 
carry on being bridged irrespective of whether vlan9 has an IP address or not.

What’s strange is that ingress packets to the bridge are being forwarded ok, 
but egress packets out onto the vlan are being filtered.

Is there something obvious that I’ve missed?

Cheers,
Joe

— 
Dr Josef Karthauser
Chief Technical Officer
(01225) 300371 / (07703) 596893
www.truespeed.com <http://www.truespeed.com/>
  / theTRUESPEED <http://www.facebook.com/theTRUESPEED> 
  @theTRUESPEED <https://twitter.com/thetruespeed>
 
This email contains TrueSpeed information, which may be privileged or 
confidential. It's meant only for the individual(s) or entity named above. If 
you're not the intended recipient, note that disclosing, copying, distributing 
or using this information is prohibited. If you've received this email in 
error, please let me know immediately on the email address above. Thank you.
We monitor our email system, and may record your emails.

_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"