[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-sparc
Subject:    Re: PF, Bridge, and IP on bridged interface [more]
From:       Jim Fron <j-fron.q.public () comcast ! net>
Date:       2005-02-21 12:55:40
Message-ID: 08edfd95e7a612dbcd15fbe6075b2667 () comcast ! net
[Download RAW message or body]

A helpful person on the PF list said he has a similar setup, but does 
not experience the problem I'm having.  So I'm starting to suspect it 
might be an SBUS/Sparc-specific problem.  I'm working with 
OpenBSD/Sparc on an SS20, and, if it makes any difference at all, my 
interfaces are lebuffer and ledma.  Issue: bridging causes pf to 
mis-apply frames to the wrong interface.  This is only a problem if I 
want to filter directionally -- that is, allow clients on one side of 
the bridged subnet more access than clients on the other.

Using tcpdump on le0 and le2 shows traffic arriving and departing on 
the correct interfaces all of the time, regardless of bridge state.  
However, traffic appearing in pflog as matching rules from the "wrong" 
interface appears to be due to the bridge:

$ sudo brconfig bridge0 down
$ sudo tcpdump -netttvvv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Feb 18 09:51:51.949840 rule 2/0(match): pass in on le0: 192.168.1.9 > 
192.168.1.1: icmp: echo request (id:19bc seq:0) (ttl 64, id 30421)
Feb 18 09:51:51.950030 rule 4/0(match): pass out on le0: 192.168.1.1 > 
192.168.1.9: icmp: echo reply (id:19bc seq:0) (ttl 255, id 25154)

$ sudo brconfig bridge0 up
$ sudo tcpdump -netttvvv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Feb 18 09:52:29.459668 rule 3/0(match): pass in on le2: 192.168.1.9 > 
192.168.1.1: icmp: echo request (id:19bd seq:0) (ttl 64, id 30487)
Feb 18 09:52:29.459838 rule 4/0(match): pass out on le0: 192.168.1.1 > 
192.168.1.9: icmp: echo reply (id:19bd seq:0) (ttl 255, id 21188)

Where:
	@2 pass in log-all quick on le0 all
	@3 pass in log-all quick on le2 all
	@4 pass out log-all quick on le0 all

Incidentally, this only happens to traffic TO and FROM the router.  The 
packets that TRAVERSE the router from one host on le0 to another on 
le2, and vice versa, always appear on the correct interface.

I've tried to use bridge rules, but have had even more problems with 
those, as applying the following to my bridgename.bridge0:

	rule pass in on le0 tag t_lan
	rule pass in on le2 tag t_wap

Results in frames that match NEITHER pf rules for 'tagged t_lan' nor 
'tagged t_wap.'

So, back to my earlier questions: is this a bug in bridge?  For Sparc?  
For these specific SBUS cards?

More to the point, whether it is or is not a bug, is this behavior 
determinate -- that is, with the bridge up:

inbound traffic from le0 to le2, and vice versa, always matches rules 
for the correct interfaces
inbound traffic from le0 AND le2 to the router always appears to match 
rules for le2
outbound traffic from the router to le0 AND le2 always appears to match 
rules for le0

Why?  Can I depend on this to always be the case?  How do I know which 
interface it will pick for the 'outbound,' and which it will pick for 
the 'inbound'?  Is that a function of which interface has the IP 
assigned?  Is it a function of the order in which they were added to 
the bridge?  Is it a function of boot-time discovery order?  Interface 
number?  Etc.?


Thanks in advance,
Jim

[prev in list] [next in list] [prev in thread] [next in thread]