Date: Wed, 24 Sep 2008 18:36:35 +0400 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Michael Proto <mike@jellydonut.org> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: sysctls and if_bridge Message-ID: <wFMM0X05KwEp6HzmyOu91favmi0@8aZIZZZvzzzGx/hHi7dR6YPK4zY> In-Reply-To: <1de79840809240710q5222645ar4549d96a457d7614@mail.gmail.com> References: <48C1E43C.1010902@jellydonut.org> <1de79840809240710q5222645ar4549d96a457d7614@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Az4VpBrmI9+OyhK/
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Michael, good day.
Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote:
> > Ran into a strange problem the other day, hoping someone can shed some
> > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a strange
> > thing with my if_bridge interface. It appears as though the sysctls for
> > determining where to enable/disable filtering don't seem to be working.
> >
> > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged
> > to a second vr1 interface for my 3 other static IPs.
> >
> > /etc/rc.conf:
> > ifconfig_vr2=3D"inet 1.2.3.4 netmask 255.255.255.0"
> > ifconfig_vr1=3D"up"
> > cloned_interfaces=3D"bridge0"
> > ifconfig_bridge0=3D"addm vr2 addm vr1 up"
> >
> > /etc/sysctl.conf:
> > net.link.bridge.pfil_member=3D1
> > net.link.bridge.pfil_bridge=3D0
> >
> > Based on what I've read from the man pages (and how it worked before),
> > this should enable filtering on the vr2 and vr1 interfaces, and not the
> > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that
> > these sysctl settings no longer matter, and filtering is enabled on both
> > the bridge and member interfaces. I ultimately had to tweak my
> > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to
> > reference bridge0 instead. Outbound rules still use vr2, and I've
> > flipped both sysctl settings with no change in behavior. Traffic flows
> > now, but it appears these sysctls are not working as they should, or I'm
> > really missing something.
Could you please post your ifconfig output?
--=20
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual =20
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20
{_.-``-' {_/ #
--Az4VpBrmI9+OyhK/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkjaUHMACgkQthUKNsbL7Yg/6QCdECHE+NUl1qYO5eGkdyeBA0j2
I+4AoJ3/cpbEt3Afl8XED5AkE9o8w0+3
=UJmE
-----END PGP SIGNATURE-----
--Az4VpBrmI9+OyhK/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wFMM0X05KwEp6HzmyOu91favmi0>