On Jun 16, 2008, at 7:42 AM, Rene van Hoek wrote:
On Jun 16, 2008, at 5:55 AM, Darren Reed wrote:
Rene van Hoek wrote:
<cut>
Hi,
I took the output of ipfstat -sl, to see the current states. I see
the same source-ip, port <--> destination-ip, port connections
twice. For example:
82.35.175.131 -> 213.201.199.243 pass 0x40004502 pr 6 state 11/4
tag 0 ttl 575536
1201 -> 80 d422a986:43c21a31 65535<<0:65535<<0
cmsk 0000 smsk 0000 s0 d422a8f2/43c14142
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 21 bytes in 1000 pkts out 22 bytes out 1048
backward: pkts in 40 bytes in 57143 pkts out 40 bytes out 57143
pass out quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0, ffffffff
= 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0x1 0x1 0x1 0x1
interfaces: in X[em0],X[bge0] out X[bge0],X[bridge0]
Sync status: not synchronized
82.35.175.131 -> 213.201.199.243 pass 0x40008502 pr 6 state 11/4
tag 0 ttl 575536
1201 -> 80 d422a986:43c21a31 65535<<0:65535<<0
cmsk 0000 smsk 0000 s0 d422a8f2/43c14142
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 1 bytes in 48 pkts out 22 bytes out 1048
backward: pkts in 40 bytes in 57143 pkts out 40 bytes out 57143
pass in quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0, ffffffff
= 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0x1 0x1 0x1 0x1
interfaces: in X[em0],X[bridge0] out X[bridge0],X[em0]
Sync status: not synchronized
These are the same connection listed twice. What I notice is the
different list of interfaces in the two states. My ifconfig output
is as follows:
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=198<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
ether 00:15:17:75:ab:84
inet 195.86.22.53 netmask 0xfffffff0 broadcast 195.86.22.63
media: Ethernet autoselect (100baseTX <half-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
ether 00:15:17:75:ab:85
media: Ethernet autoselect
status: no carrier
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:1e:c9:bb:7f:fd
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:1e:c9:bb:7f:fe
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
mtu 1500
ether 32:39:9f:e0:10:a3
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
Interface em0 is connected too the internet. bge0 is through a Cisco
switch connected to our servers.
The output of sysctl net.link.bridge is as follows:
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
According to the FreeBSD manual page IF_BRIDGE(4) (quote):
'net.link.bridge.pfil_member Set to 1 to enable filtering on the
incoming
and outgoing member interfaces, set to 0 to
disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the
bridge
interface, set to 0 to disable it.
'
Should I set net.link.bridge.pfil_bridge to 0 and
net.link.bridge.pfil_member to 1 ?
Greetings,
Rene van Hoek
