Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 Oct 2002 10:36:20 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        ipfw@freebsd.org, luigi@freebsd.org
Subject:   ipfw(8), bridge(4), and arp(4)
Message-ID:  <20021002173620.GA87135@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help 
I am seeing some strangeness with ipfw(8) and bridge(4). It looks like
ARP is being blocked somewhere for the bridging host.

When I enable bridging, everything works fine. When I turn on ipfw(8)
in the bridge,

  # sysctl net.link.ether.bridge_ipfw=1

Things get a little messed up. The funny thing is, machines can
communicate freely with one another on opposite sides of the bridge,
but the bridge host itself seems to be having some problems.

When I try to communicate directly with the bridge host, the ARPs go
unanswered. tcpdump(8) on any host, including the bridge host, show
the "who-is" messages go out, but there is no response. This seems to
be an ARP or at least non-IP problem. Can anyone reproduce the
following or something like it:

  (1) Establish a TCP connection to a bridging host (e.g. ssh or
      telnet in).

  (2) On the bridging host, turn on ipfw(8) in the bridge,

        # sysctl net.link.ether.bridge_ipfw=1

  (3) If your arp(8) cache is still fresh, your TCP connection should
      work fine.

  (4) On the TCP client, clear the arp(8) entry for the bridge host
      from the cache,

        # arp -d bridge-host

  (5) Does your TCP connection no longer work?

  (6) Turn off ipfw(8) in the bridge,

        # sysctl net.link.ether.bridge_ipfw=0

  (7) Does the TCP connection snap back to life?

I'm wondering if this is a result of some of the changes to ipfw(8) in
bridging and filtering at the Ethernet layer. Bug or feature?
luigi, is there something, besides code and commit messages,
documenting the design of ipfw(8) interaction at the link-layer? I've
bumped into this while trying to get IPFilter working in RELENG_4
bridging again.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021002173620.GA87135>