From nobody@FreeBSD.org  Wed Apr  3 19:30:05 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id C4694D20
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Apr 2013 19:30:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id B6A149E9
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Apr 2013 19:30:05 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r33JU4bV084348
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 3 Apr 2013 19:30:04 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r33JU4SU084347;
	Wed, 3 Apr 2013 19:30:04 GMT
	(envelope-from nobody)
Message-Id: <201304031930.r33JU4SU084347@red.freebsd.org>
Date: Wed, 3 Apr 2013 19:30:04 GMT
From: Jean Aumont <jaumont@mediagrif.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Bridge firewall with trunk ports and vlans
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         177618
>Category:       kern
>Synopsis:       [bridge] Problem with bridge firewall with trunk ports and vlans
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 03 19:40:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Mon Apr 15 01:52:49 UTC 2013
>Originator:     Jean Aumont
>Release:        Version 8.2 (also 7.2)
>Organization:
Mediagrif
>Environment:
FreeBSD TestFW 8.2-Release FreeBSD 8.2-Release #0: Fri Mar 2 10.11:53 EST 2012
    root@:/usr/obj/usr/src/sys/MDFKERNEL i386

>Description:
First lets clarify that the kernel has been recompiled to support Pf,
Carp and ALTQ, by adding the following options in the config file for
the kernel compile:

device pf
device pflog
device pfsync
device carp
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC

I do not believe that those option have an impact on the problem, but
just to be clear, I wanted to mention it. The following can be replicated
on FreeBSD 8.2 and 7.2

Here is the problem.

I have 2 cisco switches, both of them carrying 2 vlans: 10 and 50.

Those 2 switches are connected to my FreeBSD firewall with a dot1q trunk
port that carries those 2 vlans. 

One switch is connected to the bge0: interface and the other switch is
connected to the xl0: interface.

I want to filter the traffic using FreeBSD as a bridge firewall without
mixing vlan 10 and 50, and be able to control the spanning tree priority.

The configuration I used in /etc/rc.conf is as follow:

cloned_interfaces="vlan100 vlan101 vlan500 vlan501 bridge0 bridge1"
ifconfig_bridge0="fwddelay    12 \
                  maxage      16 \
                  priority    4096 \
                  addm        vlan100 \
                  addm        vlan101 \
                  stp         vlan100 \
                  stp         vlan101 \
                 -learn       vlan100 \
                 -learn       vlan101 \
                  up"
ifconfig_bridge1="fwddelay    12 \
                  maxage      16 \
                  priority    45056   \
                  addm        vlan500 \
                  addm        vlan501 \
                  stp         vlan500 \
                  stp         vlan501 \
                 -learn       vlan500 \
                 -learn       vlan501 \
                  up"
ifconfig_vlan100="vlan 10 vlandev bge0 up"
ifconfig_vlan101="vlan 10 vlandev xl0  up"
ifconfig_vlan500="vlan 50 vlandev bge0 up"
ifconfig_vlan501="vlan 50 vlandev xl0 up"
ifconfig_bge0="up"
ifconfig_xl0="up"

I tried to separate the traffic from vlan 10 and 50 on bridge 0 and 1
respectively by using intermediate vlans that are mapped to the trunk port.

For vlan 10, I used vlan100 from interface bge0: and used vlan101 from xl0:.
For vlan 50, I used vlan500 from interface bge0: and used vlan501 from xl0:.

The traffic is separated properly between vlan 10 and 50, and using
tcpdump on the bridges I could confirm that. 

The problem is that the bridge priority is not respected, even if
using the command "ifconfig bridge0", shows that the right value is
set for the priority. 

Using tcpdump on the bridge0 or bridge1, you can see stp traffic passing
through through the bridge.

Also, both bridges do not acquired a bridge id, it is left to 00:00:00:00:00:00.

I also tried to create the bridge manually using shell commands, here
is the result:

ifconfig bridge0 create 
ifconfig bridge0 priority 4096
ifconfig bridge0 addm vlan100
ifconfig bridge0 addm vlam101
==> bridge0: error setting interface capability on vlan100
ifconfig bridge0 stp vlan100
==> ifconfig: unable to set bridge flags: invalid argunment
ifconfig bridge0 -learn vlan100
ifconfig bridge0 -learn vlan101
ifconfig bridge0 fwddelay 12
ifconfig bridge0 maxage 16

As you can see, there were some errors ....

Am I using the right technique to accomplish what I want?

Thanks.
Jean Aumont

>How-To-Repeat:
Just used the configuration from the description
>Fix:
Do not know

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Apr 15 01:49:58 UTC 2013 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177618 
>Unformatted:
