From rea@rea.mbslab.kiae.ru  Mon Mar 13 11:21:51 2006
Return-Path: <rea@rea.mbslab.kiae.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B6DCA16A41F;
	Mon, 13 Mar 2006 11:21:47 +0000 (UTC)
	(envelope-from rea@rea.mbslab.kiae.ru)
Received: from rea.mbslab.kiae.ru (rea.mbslab.kiae.ru [144.206.177.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8298343D46;
	Mon, 13 Mar 2006 11:21:47 +0000 (GMT)
	(envelope-from rea@rea.mbslab.kiae.ru)
Received: from rea.mbslab.kiae.ru (localhost [127.0.0.1])
	by rea.mbslab.kiae.ru (Postfix) with ESMTP id 7F423BC24;
	Mon, 13 Mar 2006 14:21:45 +0300 (MSK)
Received: by rea.mbslab.kiae.ru (Postfix, from userid 1000)
	id 50D28BBD8; Mon, 13 Mar 2006 14:21:45 +0300 (MSK)
Message-Id: <20060313112145.50D28BBD8@rea.mbslab.kiae.ru>
Date: Mon, 13 Mar 2006 14:21:45 +0300 (MSK)
From: Eygene A.Ryabinkin <rea-fbsd@rea.mbslab.kiae.ru>
Reply-To: Eygene A.Ryabinkin <rea-fbsd@rea.mbslab.kiae.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: glebius@FreeBSD.org
Subject: if_bridge breaks proxy ARP functionality
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         94408
>Category:       kern
>Synopsis:       [if_bridge] [patch] if_bridge breaks proxy ARP functionality
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    thompsa
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 13 11:30:45 GMT 2006
>Closed-Date:    Mon Jul 10 01:04:12 GMT 2006
>Last-Modified:  Mon Jul 10 01:04:12 GMT 2006
>Originator:     Eygene A. Ryabinkin
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXXX 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #X: Tue Mar 7 20:15:22 MSK 2006 root@XXXX:/usr/obj/usr/src/sys/XXXX i386


	
>Description:
 When many interfaces are bridged together via if_bridge (or old-style
BRIDGE) the proxy ARP functionality will not work for some interfaces of
the bridge: kern/75634 modified the source code of netinet/if_ether.c to
send proxied replies only if original ARP request came from the interface
proxy ARP entry belongs to.

 This is correct for the standalone interface, but if many interfaces
are bridged I expect (but it is only my expectations) to get the proxied
reply on any of the bridged interfaces if the proxy ARP entry exist for
at least one interface from that bridge.

 Another way to explain the problem: suppose we have the proxy ARP
entry for IP NN and MAC MM on the interface fxp0. And interfaces fxp0
and fxp1 are bridged via if_bridge. Then all ARP requests for NN coming
via fxp0 will answered with MAC MM, but none of the ARP requests for NN
coming via fxp1 will be answered, because the proxy ARP entry have fxp0
as the interface, not the fxp1.

>How-To-Repeat:
 Make two bridged interfaces. Make the proxy arp entry for one of them.
Do the ARP request from the subnet part that is behind another interface.
You will get no answer. Do the ARP request from the subnet part that
is behind the first interface: you will get the correct answer.

>Fix:
 
 The obvious way to fix the problem is to enable the proxy ARP answers
on any of the bridged interfaces if proxy record belongs to any of
the bridged interfaces. The following patch inhibits such behaviour for
if_bridge. I'm not using the old-style BRIDGE now, but I beleive that
the problem can be fixed for BRIDGE as well.

 The patch itself:
-----
--- if_ether.c.orig	Sun Mar 12 11:37:42 2006
+++ if_ether.c	Mon Mar 13 10:18:20 2006
@@ -863,10 +863,13 @@
 		} else {
 			/*
 			 * Return proxied ARP replies only on the interface
-			 * where this network resides. Otherwise we may
-			 * conflict with the host we are proxying for.
+			 * or bridge cluster where this network resides.
+			 * Otherwise we may conflict with the host we are
+			 * proxying for.
 			 */
-			if (rt->rt_ifp != ifp) {
+			if (rt->rt_ifp != ifp &&
+			    (rt->rt_ifp->if_bridge != ifp->if_bridge ||
+			    ifp->if_bridge == NULL)) {
 				RT_UNLOCK(rt);
 				goto drop;
 			}
-----

 I am almost sure that the behaviour my patch enables is the correct one:
this is bridge and ARP queries are broadcasts, so we should answer such
queries on any bridge interface. But someone who is better skilled with
the networking can correct me: please, do it if I am wrong.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->thompsa 
Responsible-Changed-By: thompsa 
Responsible-Changed-When: Fri May 19 06:05:28 UTC 2006 
Responsible-Changed-Why:  
Grab this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94408 

From: JoaoBR <joao@matik.com.br>
To: bug-followup@freebsd.org, rea-fbsd@rea.mbslab.kiae.ru
Cc:  
Subject: Re: kern/94408: [if_bridge] [patch] if_bridge breaks proxy ARP functionality
Date: Fri, 19 May 2006 13:05:24 -0300

 --Boundary-00=_EzebEVrrIEljBGE
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 
 on Eygene's request here the working patch for releng_6
 
 
 Jo=E3o
 
 --Boundary-00=_EzebEVrrIEljBGE
 Content-Type: application/x-tgz;
   name="if_ether.c.patch.tar.gz"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
 	filename="if_ether.c.patch.tar.gz"
 
 H4sIAIO7bUQAA+3SS0/jMBAAYK7JrxguaEtIcV48uioqWokLXUDVcq5COmkssnE0MQoV8N/XSago
 kbY3hEDzHerUnvE4Gct0jjpDGibDMtZJtvMBhBBHYQjNaPRH4XmBD54IAyOKomMQXuh73g6IjzhM
 30OlYzJHIaX0trg6Q8y3rPdf7otwXRfk2x1QJJfWBUn4Ha/AOwVxMvKjkfDBNz20HcfZCH4XdzoK
 wpEIurjJBNyTo+jAE+C0YwCTiQ2W9QKYVwhPzbN1uN8OsA8z1A9UQEnqUeICzmc3QFjmEitQRb4y
 P2BKgiw0UhonaLtdnukJoVmSFRSoa0X3Jq+SC6yGcN0cspamWo3wN16tcxJVpLlMNNRSZ+22map0
 ExSbvZojrGSxhFTR0Ha6FEVwR3KxREhyc12QthVeJ/Xrby+8znpfv/s8h+3RZQo/SLtnpOcyLWF3
 bDpRDsyndP63CHt77aK1seSemf69vkwXtTnz/Nwl9KbHY7i6nU4Hg9fGWbM/89ur6fWvS7Pz4Gc3
 t1RawYJU2f1/sT/7ZjPGGGOMMcYYY4wxxhhjjDHGGGOMMfb9/QO9pbJuACgAAA==
 
 --Boundary-00=_EzebEVrrIEljBGE--
 
 
 
 
 
 
 
 A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
 Service fornecido pelo Datacenter Matik  https://datacenter.matik.com.br
State-Changed-From-To: open->patched 
State-Changed-By: thompsa 
State-Changed-When: Fri Jun 9 00:35:56 UTC 2006 
State-Changed-Why:  
Committed to HEAD and awaiting MFC. Thanks for the patch! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94408 
State-Changed-From-To: patched->closed 
State-Changed-By: thompsa 
State-Changed-When: Mon Jul 10 01:03:44 UTC 2006 
State-Changed-Why:  
MFC complete, thanks for the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94408 
>Unformatted:
