From owner-freebsd-current@FreeBSD.ORG Wed Sep 24 14:45:34 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DA331065695 for ; Wed, 24 Sep 2008 14:45:34 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id 17B4B8FC1F for ; Wed, 24 Sep 2008 14:45:33 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: by wf-out-1314.google.com with SMTP id 24so2743925wfg.7 for ; Wed, 24 Sep 2008 07:45:33 -0700 (PDT) Received: by 10.114.181.13 with SMTP id d13mr8187719waf.101.1222267523645; Wed, 24 Sep 2008 07:45:23 -0700 (PDT) Received: by 10.115.90.13 with HTTP; Wed, 24 Sep 2008 07:45:23 -0700 (PDT) Message-ID: <1de79840809240745k4bb9d7bekb3f96812e109d035@mail.gmail.com> Date: Wed, 24 Sep 2008 10:45:23 -0400 From: "Michael Proto" To: "Eygene Ryabinkin" In-Reply-To: MIME-Version: 1.0 References: <48C1E43C.1010902@jellydonut.org> <1de79840809240710q5222645ar4549d96a457d7614@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Current Subject: Re: sysctls and if_bridge X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2008 14:45:34 -0000 On Wed, Sep 24, 2008 at 10:36 AM, Eygene Ryabinkin wrote: > Michael, good day. > > Wed, Sep 24, 2008 at 10:10:28AM -0400, Michael Proto wrote: > > > Ran into a strange problem the other day, hoping someone can shed some > > > light on this. Updated 8-CURRENT from 6/14 to 9/02 and noticed a > strange > > > thing with my if_bridge interface. It appears as though the sysctls for > > > determining where to enable/disable filtering don't seem to be working. > > > > > > My router has an IP, 1.2.3.4/24 on its vr2 interface, which is bridged > > > to a second vr1 interface for my 3 other static IPs. > > > > > > /etc/rc.conf: > > > ifconfig_vr2="inet 1.2.3.4 netmask 255.255.255.0" > > > ifconfig_vr1="up" > > > cloned_interfaces="bridge0" > > > ifconfig_bridge0="addm vr2 addm vr1 up" > > > > > > /etc/sysctl.conf: > > > net.link.bridge.pfil_member=1 > > > net.link.bridge.pfil_bridge=0 > > > > > > Based on what I've read from the man pages (and how it worked before), > > > this should enable filtering on the vr2 and vr1 interfaces, and not the > > > bridge0 interface. After updating to 8-CURRENT 9/02 it appears that > > > these sysctl settings no longer matter, and filtering is enabled on > both > > > the bridge and member interfaces. I ultimately had to tweak my > > > /etc/pf.conf and set all my inbound-from-the-Internet vr2 rules to > > > reference bridge0 instead. Outbound rules still use vr2, and I've > > > flipped both sysctl settings with no change in behavior. Traffic flows > > > now, but it appears these sysctls are not working as they should, or > I'm > > > really missing something. > > Could you please post your ifconfig output? > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # > Sure! Here you go, and thanks! Bear in mind I'm using interface naming in /etc/rc.conf. lan, dmz, and wan are all vr interfaces, and wifi is a vap interface "cloned" from ath0 lan: flags=8843 metric 0 mtu 1500 options=280b ether 00:0d:b9:12:99:68 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (100baseTX ) status: active dmz: flags=8943 metric 0 mtu 1500 options=280b ether 00:0d:b9:12:99:69 media: Ethernet autoselect (100baseTX ) status: active wan: flags=8943 metric 0 mtu 1500 options=280b ether 00:0d:b9:12:99:6a inet 20.30.40.50 netmask 0xffffff00 broadcast 20.30.40.255 media: Ethernet 100baseTX status: active ath0: flags=8843 metric 0 mtu 2290 ether 00:80:48:7e:4c:e3 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: running pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=141 metric 0 mtu 33204 lo0: flags=8049 metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 metric 0 mtu 1500 ether 00:0d:b9:12:99:6a id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: dmz flags=143 ifmaxaddr 0 port 2 priority 128 path cost 200000 member: wan flags=143 ifmaxaddr 0 port 3 priority 128 path cost 55 wifi: flags=8843 metric 0 mtu 2290 ether 00:80:48:7e:4c:e3 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: running ssid BingoNightly channel 11 (2462 Mhz 11g) bssid 00:80:48:7e:4c:e3 country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs -Proto