Bug 208910 - if_bridge does not work properly with vlans and VIMAGE
Summary: if_bridge does not work properly with vlans and VIMAGE
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.3-RELEASE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-net mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-18 23:00 UTC by heliocentric
Modified: 2019-05-29 03:49 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description heliocentric 2016-04-18 23:00:25 UTC
VIMAGE network stacks have issues with a bridge on top of a vlan interface. This limits the utility of having many jails on a freebsd host where the jails are bound to multiple vlans, resulting in having to bridge the entire trunk port to work around it, which can be a security risk.

A patch was already introduced to truenas by delphij a few years ago, and it was confirmed to work on 10.3-RELEASE:

https://github.com/trueos/trueos/commit/02859369158af2ae3bcb6a9e4434841239f7c526.diff
Comment 1 Shawn Debnath 2016-04-20 00:29:55 UTC
Submitted a review with the associated commit from TrueOS to speed things along:

https://reviews.freebsd.org/D6015
Comment 2 Shawn Debnath 2016-04-25 20:54:17 UTC
Per kp@, current patch by delphij is not a proper fix for the issue (see review). I am going to dig deeper to try to find the root cause for two issues I am running into, which according to kp@ are unrelated but would be good to hunt down:

1) why the bridge is not accepting and retaining the mac address of the first interface attached to it.
2) why the bridge is unable to disable capabilities on the parent interface (likely IFCAP_LRO, but could be others as well).

Regardless, kernel shouldn't be exposing all of SIOCSIFCAP to the parent interface.
Comment 3 Kristof Provost freebsd_committer 2016-04-25 21:39:44 UTC
(In reply to Shawn Debnath from comment #2)
To clarify, my main objection to the patch at the moment is that we don't understand what it fixes and why.
It's possible that it is actually the correct way to fix things (although I have some concerns w.r.t. vnet, but that's a different discussion).