Re: Bridge over gif on 4.1
Renaud Allard wrote:
Markus Friedl wrote:
On Fri, Apr 13, 2007 at 12:03:18PM +0200, Renaud Allard wrote:
It's just quite annoying that the man page for brconfig says that the
bridge over gif should work and it does not.
well, it did work before and should work in 4.1
I know. But with 4.1, it doesn't work with the config I posted and it
doesn't work either with 4.1-current of april 6th.
It works great with the following patch from Markus on a -stable branch:
Index: sys/net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.158
diff -u -p -u -r1.158 if_bridge.c
--- sys/net/if_bridge.c 10 Apr 2007 17:47:55 - 1.158
+++ sys/net/if_bridge.c 16 May 2007 09:03:44 -
@@ -2705,6 +2705,11 @@ bridge_ifenqueue(struct bridge_softc *sc
int error, len;
short mflags;
+#if NGIF 0
+ /* Packet needs etherip encapsulation. */
+ if (ifp-if_type == IFT_GIF)
+ m-m_flags |= M_PROTO1;
+#endif
len = m-m_pkthdr.len;
mflags = m-m_flags;
IFQ_ENQUEUE(ifp-if_snd, m, NULL, error);
Index: sys/net/if_gif.c
===
RCS file: /cvs/src/sys/net/if_gif.c,v
retrieving revision 1.43
diff -u -p -u -r1.43 if_gif.c
--- sys/net/if_gif.c19 Apr 2007 09:28:40 - 1.43
+++ sys/net/if_gif.c16 May 2007 09:03:44 -
@@ -217,6 +217,7 @@ gif_start(ifp)
m-m_flags = ~(M_BCAST|M_MCAST);
/* extract address family */
+ family = AF_UNSPEC;
tp = *mtod(m, u_int8_t *);
tp = (tp 4) 0xff; /* Get the IP version number. */
#ifdef INET
@@ -233,16 +234,10 @@ gif_start(ifp)
* Check if the packet is comming via bridge and needs
* etherip encapsulation or not.
*/
- if (ifp-if_bridge)
- for (mtag = m_tag_find(m, PACKET_TAG_BRIDGE, NULL);
- mtag;
- mtag = m_tag_find(m, PACKET_TAG_BRIDGE, mtag)) {
- if (!bcmp(ifp-if_bridge, mtag + 1,
- sizeof(caddr_t))) {
- family = AF_LINK;
- break;
- }
- }
+ if (ifp-if_bridge (m-m_flags M_PROTO1)) {
+ m-m_flags = ~M_PROTO1;
+ family = AF_LINK;
+ }
#endif
#if NBPFILTER 0
Re: Bridge over gif on 4.1
-Original message- From: Renaud Allard [EMAIL PROTECTED] Sent: Fri 04/13/07 09:11:47 To: Renaud Allard [EMAIL PROTECTED]; CC: [EMAIL PROTECTED]; Subject: Re: Bridge over gif on 4.1 It should be noted that when I put an ip on each sis1 interface, they can ping each other through the if tunnel. Only the arp packets from the lan don't seem to pass. Is this a bug or am I missing something? [snip] I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration? Hi Renaud, I think your config looks alright, you just need to allow multicast packets to be forwarded by setting: net.inet.ip.mforwarding=1 Also, don't forget to add some routing (on your gateway to the bridge). Regards, Sjoerd Oostdijck.
Re: Bridge over gif on 4.1
Sjoerd Oostdijck wrote: -Original message- From: Renaud Allard [EMAIL PROTECTED] Sent: Fri 04/13/07 09:11:47 To: Renaud Allard [EMAIL PROTECTED]; CC: [EMAIL PROTECTED]; Subject: Re: Bridge over gif on 4.1 It should be noted that when I put an ip on each sis1 interface, they can ping each other through the if tunnel. Only the arp packets from the lan don't seem to pass. Is this a bug or am I missing something? [snip] I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration? Hi Renaud, I think your config looks alright, you just need to allow multicast packets to be forwarded by setting: net.inet.ip.mforwarding=1 Also, don't forget to add some routing (on your gateway to the bridge). Well, thanks for your reply. However net.inet.ip.mforwarding is already set to 1. I don't see what you mean by adding some routing on my gateway to the bridge. Both routers can see and communicate with the other. There is no filtering done between the two routers. pf is disabled on both routers and there are no rules on the bridge. If I put an IP on sis1 on router1 and try to ping from router1 the only host on the lan on router2 and if I sniff on this host, I see arp requests and arp replies. The replies are received on bridge0 on router2, and I see entries on gif0, but they just don't go back trough gif0. I don't think the gif0 mtu 1280 can be the problem as arp requests/replies are only 28 bytes + etherip overhead. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Bridge over gif on 4.1
On Fri, Apr 13, 2007 at 09:26:56AM +0200, Sjoerd Oostdijck wrote: -Original message- From: Renaud Allard [EMAIL PROTECTED] Sent: Fri 04/13/07 09:11:47 To: Renaud Allard [EMAIL PROTECTED]; CC: [EMAIL PROTECTED]; Subject: Re: Bridge over gif on 4.1 It should be noted that when I put an ip on each sis1 interface, they can ping each other through the if tunnel. Only the arp packets from the lan don't seem to pass. Is this a bug or am I missing something? [snip] I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration? Hi Renaud, I think your config looks alright, you just need to allow multicast packets to be forwarded by setting: net.inet.ip.mforwarding=1 No. Multicast forwarding is only needed if you are routing multicast packets. So unless you are running mrouted or dvmrpd on your system you most probably don't need it. Layer 2 bridging does not need it in any case as the broadcast domain is not split by a bridge. -- :wq Claudio
Re: Bridge over gif on 4.1
Also, if I use openvpn with a tun0 (link0) instead of gif, packets pass trough the tunnel. Although there are still some other problems because the broadcast for arp seems to change from ff:ff:ff:ff:ff:ff to 0:0:0:2:ff:ff. Renaud Allard wrote: It should be noted that when I put an ip on each sis1 interface, they can ping each other through the if tunnel. Only the arp packets from the lan don't seem to pass. Is this a bug or am I missing something? Renaud Allard wrote: When sniffing on gif0 (tcpdump -ttt -n -e -i gif0), I get: Apr 12 17:28:53.857812 Apr 12 17:28:53.860054 Apr 12 17:28:53.893533 Apr 12 17:28:53.976284 Apr 12 17:28:54.023758 Apr 12 17:28:54.024148 Apr 12 17:28:54.024565 Apr 12 17:28:54.079725 Apr 12 17:28:54.094511 Apr 12 17:28:54.145102 Nothing more. Has someone any idea on why I don't see the packets? I tried setting the gif0 mtu to 1500 in case this could be a mtu problem, but I still get the same thing. ARP broadcasts don't seem to pass through the tunnel. Renaud Allard wrote: Hello, I have a setup like this: *** router1 hostname.gif0: up tunnel 172.17.0.170 195.16.12.50 hostname.sis0: inet 172.17.0.170 255.255.0.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 172.17.0.170 to 195.16.12.50 # netstat -nr | tail -2 195.16.12.50/320 172.17.0.170/320 97 195.16.12.50/esp/use/in 172.17.0.170/320 195.16.12.50/320 97 195.16.12.50/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 14 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:11:85:25:fa:00 sis1 1 flags=0 00:11:85:21:09:40 sis1 1 flags=0 00:30:05:d1:17:58 sis1 1 flags=0 etc *** router2 hostname.gif0: up tunnel 195.16.12.50 172.17.0.170 hostname.sis0: inet 195.16.12.50 255.255.254.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 195.16.12.50 to 172.17.0.170 # netstat -nr | tail -2 172.17.0.170/320 195.16.12.50/320 97 172.17.0.170/esp/use/in 195.16.12.50/320 172.17.0.170/320 97 172.17.0.170/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 10 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:09:6b:45:27:59 sis1 1 flags=0 * If I do tcpdump -ttt -n -e -vv -i gif0 on both routers, I see some traffic. But this is only local traffic, no packet is forwarded between both routers. If I do a tcpdump on the only router between router1 and router2, I see no traffic except the ipsec negotiation. I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration?
Re: Bridge over gif on 4.1
Well, it works with openvpn now, I just forgot to add dev-type tap in the config file. It's just quite annoying that the man page for brconfig says that the bridge over gif should work and it does not. Renaud Allard wrote: Also, if I use openvpn with a tun0 (link0) instead of gif, packets pass trough the tunnel. Although there are still some other problems because the broadcast for arp seems to change from ff:ff:ff:ff:ff:ff to 0:0:0:2:ff:ff. Renaud Allard wrote: It should be noted that when I put an ip on each sis1 interface, they can ping each other through the if tunnel. Only the arp packets from the lan don't seem to pass. Is this a bug or am I missing something? Renaud Allard wrote: When sniffing on gif0 (tcpdump -ttt -n -e -i gif0), I get: Apr 12 17:28:53.857812 Apr 12 17:28:53.860054 Apr 12 17:28:53.893533 Apr 12 17:28:53.976284 Apr 12 17:28:54.023758 Apr 12 17:28:54.024148 Apr 12 17:28:54.024565 Apr 12 17:28:54.079725 Apr 12 17:28:54.094511 Apr 12 17:28:54.145102 Nothing more. Has someone any idea on why I don't see the packets? I tried setting the gif0 mtu to 1500 in case this could be a mtu problem, but I still get the same thing. ARP broadcasts don't seem to pass through the tunnel. Renaud Allard wrote: Hello, I have a setup like this: *** router1 hostname.gif0: up tunnel 172.17.0.170 195.16.12.50 hostname.sis0: inet 172.17.0.170 255.255.0.0 NONE hostname.sis1: up bridgename.bridge0:add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 172.17.0.170 to 195.16.12.50 # netstat -nr | tail -2 195.16.12.50/320 172.17.0.170/320 97 195.16.12.50/esp/use/in 172.17.0.170/320 195.16.12.50/320 97 195.16.12.50/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 14 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:11:85:25:fa:00 sis1 1 flags=0 00:11:85:21:09:40 sis1 1 flags=0 00:30:05:d1:17:58 sis1 1 flags=0 etc *** router2 hostname.gif0: up tunnel 195.16.12.50 172.17.0.170 hostname.sis0: inet 195.16.12.50 255.255.254.0 NONE hostname.sis1: up bridgename.bridge0:add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 195.16.12.50 to 172.17.0.170 # netstat -nr | tail -2 172.17.0.170/320 195.16.12.50/320 97 172.17.0.170/esp/use/in 195.16.12.50/320 172.17.0.170/320 97 172.17.0.170/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 10 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:09:6b:45:27:59 sis1 1 flags=0 * If I do tcpdump -ttt -n -e -vv -i gif0 on both routers, I see some traffic. But this is only local traffic, no packet is forwarded between both routers. If I do a tcpdump on the only router between router1 and router2, I see no traffic except the ipsec negotiation. I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration?
Re: Bridge over gif on 4.1
On Fri, Apr 13, 2007 at 12:03:18PM +0200, Renaud Allard wrote: It's just quite annoying that the man page for brconfig says that the bridge over gif should work and it does not. well, it did work before and should work in 4.1
Re: Bridge over gif on 4.1
Markus Friedl wrote: On Fri, Apr 13, 2007 at 12:03:18PM +0200, Renaud Allard wrote: It's just quite annoying that the man page for brconfig says that the bridge over gif should work and it does not. well, it did work before and should work in 4.1 I know. But with 4.1, it doesn't work with the config I posted and it doesn't work either with 4.1-current of april 6th.
Bridge over gif on 4.1
Hello, I have a setup like this: *** router1 hostname.gif0: up tunnel 172.17.0.170 195.16.12.50 hostname.sis0: inet 172.17.0.170 255.255.0.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 172.17.0.170 to 195.16.12.50 # netstat -nr | tail -2 195.16.12.50/320 172.17.0.170/320 97 195.16.12.50/esp/use/in 172.17.0.170/320 195.16.12.50/320 97 195.16.12.50/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 14 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:11:85:25:fa:00 sis1 1 flags=0 00:11:85:21:09:40 sis1 1 flags=0 00:30:05:d1:17:58 sis1 1 flags=0 etc *** router2 hostname.gif0: up tunnel 195.16.12.50 172.17.0.170 hostname.sis0: inet 195.16.12.50 255.255.254.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 195.16.12.50 to 172.17.0.170 # netstat -nr | tail -2 172.17.0.170/320 195.16.12.50/320 97 172.17.0.170/esp/use/in 195.16.12.50/320 172.17.0.170/320 97 172.17.0.170/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 10 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:09:6b:45:27:59 sis1 1 flags=0 * If I do tcpdump -ttt -n -e -vv -i gif0 on both routers, I see some traffic. But this is only local traffic, no packet is forwarded between both routers. If I do a tcpdump on the only router between router1 and router2, I see no traffic except the ipsec negotiation. I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration?
Re: Bridge over gif on 4.1
When sniffing on gif0 (tcpdump -ttt -n -e -i gif0), I get: Apr 12 17:28:53.857812 Apr 12 17:28:53.860054 Apr 12 17:28:53.893533 Apr 12 17:28:53.976284 Apr 12 17:28:54.023758 Apr 12 17:28:54.024148 Apr 12 17:28:54.024565 Apr 12 17:28:54.079725 Apr 12 17:28:54.094511 Apr 12 17:28:54.145102 Nothing more. Has someone any idea on why I don't see the packets? I tried setting the gif0 mtu to 1500 in case this could be a mtu problem, but I still get the same thing. ARP broadcasts don't seem to pass through the tunnel. Renaud Allard wrote: Hello, I have a setup like this: *** router1 hostname.gif0: up tunnel 172.17.0.170 195.16.12.50 hostname.sis0: inet 172.17.0.170 255.255.0.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 172.17.0.170 to 195.16.12.50 # netstat -nr | tail -2 195.16.12.50/320 172.17.0.170/320 97 195.16.12.50/esp/use/in 172.17.0.170/320 195.16.12.50/320 97 195.16.12.50/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 14 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:11:85:25:fa:00 sis1 1 flags=0 00:11:85:21:09:40 sis1 1 flags=0 00:30:05:d1:17:58 sis1 1 flags=0 etc *** router2 hostname.gif0: up tunnel 195.16.12.50 172.17.0.170 hostname.sis0: inet 195.16.12.50 255.255.254.0 NONE hostname.sis1: up bridgename.bridge0: add gif0 add sis1 up ipsec.conf: ike esp proto etherip from 195.16.12.50 to 172.17.0.170 # netstat -nr | tail -2 172.17.0.170/320 195.16.12.50/320 97 172.17.0.170/esp/use/in 195.16.12.50/320 172.17.0.170/320 97 172.17.0.170/esp/require/out # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis1 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 10 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:09:6b:45:27:59 sis1 1 flags=0 * If I do tcpdump -ttt -n -e -vv -i gif0 on both routers, I see some traffic. But this is only local traffic, no packet is forwarded between both routers. If I do a tcpdump on the only router between router1 and router2, I see no traffic except the ipsec negotiation. I changed net.inet.ip.forwarding=1 and net.inet.etherip.allow=1 but it did not help. Is something wrong with my configuration?
