Hello all,
Could someone explain this behaviour?
When an IP address is assigned to a bridge member interface, an arp broadcast request to this interface bypasses bridge filter rules. But, an arp
unicast request is blocked as it should.
Setup:
192.168.1.1(00:aa:bb:01:02:03) --pcn0-[bridge]-pcn3--
192.168.1.15(00:0c:29:b3:fa:3a)
Configuration:
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
pcn3 flags=4<BLOCKNONIP>
port 4 ifpriority 128 ifcost 55
pass in on pcn3 src 00:0c:29:b3:fa:3a dst 00:aa:bb:01:02:03
block in on pcn3
pass out on pcn3 src 00:aa:bb:01:02:03 dst 00:0c:29:b3:fa:3a
block out on pcn3
pcn1 flags=4<BLOCKNONIP>
port 2 ifpriority 128 ifcost 55
pcn0 flags=3<LEARNING,DISCOVER>
port 1 ifpriority 128 ifcost 55
Addresses (max cache: 100, timeout: 240):
00:0c:29:b3:fa:3a pcn3 0 flags=1<STATIC>
00:aa:bb:01:02:03 pcn0 1 flags=0<>
00:0c:29:a3:6d:69 pcn1 0 flags=1<STATIC>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
pcn0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0c:29:c7:1c:1c
groups: egress
media: Ethernet autoselect (autoselect)
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fec7:1c1c%pcn0 prefixlen 64 scopeid 0x1
pcn1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0c:29:c7:1c:26
media: Ethernet autoselect (autoselect)
inet6 fe80::20c:29ff:fec7:1c26%pcn1 prefixlen 64 scopeid 0x2
pcn2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:c7:1c:30
media: Ethernet autoselect (autoselect)
pcn3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0c:29:c7:1c:3a
media: Ethernet autoselect (autoselect)
inet6 fe80::20c:29ff:fec7:1c3a%pcn3 prefixlen 64 scopeid 0x4
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1348
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
Command on 192.168.1.15:
arping 192.168.1.2
ARPING 192.168.1.2 from 192.168.1.15 eth0
Unicast reply from 192.168.1.2 [00:0C:29:C7:1C:1C]
Sent 4 probes (1 broadcast(s))
Received 1 response(s)
TCPDUMP on pcn3:
17:57:27.358385 0:c:29:b3:fa:3a ff:ff:ff:ff:ff:ff 0806 60: arp who-has
192.168.1.2 (ff:ff:ff:ff:ff:ff) tell 192.168.1.15
17:57:27.358502 0:c:29:c7:1c:1c 0:c:29:b3:fa:3a 0806 60: arp reply 192.168.1.2
is-at 0:c:29:c7:1c:1c
17:57:28.911213 0:c:29:b3:fa:3a 0:c:29:c7:1c:1c 0806 60: arp who-has
192.168.1.2 (0:c:29:c7:1c:1c) tell 192.168.1.15
17:57:30.556387 0:c:29:b3:fa:3a 0:c:29:c7:1c:1c 0806 60: arp who-has
192.168.1.2 (0:c:29:c7:1c:1c) tell 192.168.1.15
17:57:32.405283 0:c:29:b3:fa:3a 0:c:29:c7:1c:1c 0806 60: arp who-has
192.168.1.2 (0:c:29:c7:1c:1c) tell 192.168.1.15
