Bjoern A. Zeeb: > On Wed, 30 Jul 2025, Lexi Winter wrote: > > currently we allow users to create a vlan and a bridge on the same > > interface, like this: > > > > % ifconfig ix0.100 create > > % ifconfig bridge0 create addm ix0 > > > > i am aware that some people are using this in production, but because it > > doesn't work properly[0], i would like to forbid this configuration in > > 16.0, i.e. it would not be possible to add an interface to a bridge if > > vlans are present on that interface, and vice versa.
> Do you intend to make it a sysctl in 15 already so people can forbid it > upfront before migrating to 16, and in 16 before stable/16 just remove > it all together? > > Or if it is not too late for 15, simply have the sysctl disabled by > default in 15 and people can rescue themselves flipping it for the > lifetime of 15? > Given the other changes, I wonder if it would just make sense to get > all the cases/possible breakage sorted in one go that way? considering how close stable/15 is i wasn't planning to make any change here for 15.0, but if there's consensus this is the right way to go, we could add a WARNING printf for 15.0 indicating this might be removed in the future, then add a sysctl which is disabled by default in 16.0 and remove it in 17.0. since many instances of this type of configuration can be replaced by vlan filtering, this gives users one release to convert their network setup without having to enable non-default sysctls. i have a related change (currently part of D51260, but that probably won't be landed as-is) which changes the behaviour here so if that any vlan(4) is configured on the interface, *all* tagged packets go to vlan and are ignored by bridge. this makes the code cleaner and i think is also more understandable to users, but it does somewhat change the behaviour. > dwc0 inet6 > bridge0 addm dwc0 addm epair0a ; epair0b in another vnet with another 3 vlans > on top > vlan100 inet6 on dwc0 > vlan200 inet6 on dwc0 > > Normally I would have put the vlan interfaces into the vnet without > bridge but you cannot have the same vlan N twice on the same parent > interface. Hence the bridge in the middle. Should really be three > bridges and 3 epairs on 3 vlan interfaces in the base for the vnet > but .. i think bridge is the right solution here, but with vlan filtering, you could do it this way instead: ifconfig bridge0 create vlanfilter addm dwc0 tagged dwc0 100-399 ifconfig bridge0 addm epair0a untagged epair0a 100 # epair0b in a jail ifconfig bridge0 addm epair1a untagged epair1a 200 # epair1b in a jail ifconfig bridge0 addm epair2a untagged epair2a 300 # epair2b in a jail ifconfig bridge0.100 create # in the host ifconfig bridge0.200 create # in the host essentially, i would like to be in a situation where if you're doing switching you use bridge, and if you're doing routing you use vlan(4), and there's never a need for both on the same interface. (if you're doing both switching and routing, you use vlan on top of the bridge, as in this example.) > > - can you switch your untagged traffic to tagged instead and use a > > vlan(4) in a bridge? e.g., > > % ifconfig ix0.100 create > > % ifconfig ix0.101 create > > % ifconfig bridge0 create addm ix0.101 > Is this the same setup as above as we are no longer bridging the trunk > in addition to having a local access VLAN or do I have a different use > case in mind? this was supposed to be the same as the "bad" example, except that instead of creating the vlan(4) on the external interface, you create it on the bridge instead. so this would be the simplest migration path for users, but i don't think you can set the vlan(4) vlan id to 0, so this requires changing your upstream device to tag all traffic. (if it is possible to set vlan id to 0 - which thinking about it, should be allowed - then this might be the easiest migration path for everyone, but i haven't tested this with bridge before.) > If I were to take my above setup, would the following do the job? > (syntax may be wrong) > > ifconfig bridge0 addm dwc0 [vlanfilter] untagged dwc0 4000 tagged dwc0 > 100,200,300,400 > ifconfig bridge0.4000 inet6 ... # that's the base address formerly on > dwc0 for untagged on the wire > ifconfig bridge0.100 inet6 .. > ifconfig bridge0.200 inet6 .. > ifconfig bridge0 addm epair0a [vlanfilter] tagged epair0a 100,300,400 i wrote my example above before i read this part of your mail, but yes, this looks reasonable. for now you need 'ifconfig bridge0 addm X vlanfilter X tagged X...', but once D51600 lands (hopefully very soon) you will only need to set vlanfilter once on the bridge itself. > The only problem I need to figure out is how to transition from a > netboot setup (address is on the physical interface) to something where > the address migrates to the bridge without losing the NFS root mount... > Has anyone found a solution for that already? there was a discussion about this on the list a couple of weeks back, but for now i think the answer is no (as in, it should be possible, just no one has written the code yet).
signature.asc
Description: PGP signature
