On 22/11/15(Sun) 16:56, Momtchil Momtchev wrote:
> On 22/11/2015 15:52, Martin Pieuchot wrote:
> >
> >btw., what OpenBSD version is this diff for? This is not -current.
> >> Thanks for the quick reply. That was my impression too, but it seems
> >>that bridge_output is also used sometimes for forwarding ARP requests by a
> >>code path that I haven't found yet - it is not a direct forwarding, it is
> >>like some kind of a proxy-ARP mechanism. I have a modified bridge and for me
> >>it makes sense (it is for a box that bridges IP6 traffic and routes IP4
> >>traffic - so I am blocking IP4 only with BLOCKNONIP), I just wondered why it
> >>was not there and if I was missing something. Who does call bridge_output?
> >>Isn't output always on the underlying interface, not directly on the bridge?
> >If you want some help you need to provide the information that allows
> >us to help you. Which version are you running? Can you describe the
> >problem you're facing *without* any modification on such version?
>
> I just upgraded to 5.8 (from 4.9) and I see the bridge has changed
> somewhat. I am using the bridge to pass IPv6 only traffic, NATting and
> routing IPv4. This is not possible without modifying the bridge.
When you say "the bridge changed somewhat" are you saying that you see
a regression? Could you share your setup that, I guess work with 4.9,
and no longer work with 5.8.
> Since
> upgrading to 5.8 I started getting IPv4 ARP requests passing through my
> _BLOCKNONIPV6_ bridge (which is a problem since there is an equipement that
> gets confused by them on that other side). I traced those requests down to
> bridge_output, so I added that check which solved my problem. Except now I
> don't get ARPs at all on this interface, but this is fine with me, I added a
> static entry for the only router I needed.
I don't understand what you mean with "_BLOCKNONIPV6_ bridge". ifconfig(8)
clearly say:
blocknonip interface
Mark interface so that no non-IPv4, IPv6, ARP, or Reverse ARP
packets are accepted from it or forwarded to it from other
bridge member interfaces
> My questions were, isn't the missing BLOCKNONIP check actually needed by
> everyone (not really according to Reyk Floeter) and why is bridge_output
> used at all? ARP traffic should originate in the output function of the
> underlying interface, not the bridge? But anyway, at this point it is mostly
> academic, I solved my problem, I was just trying to understand the code.
