Bridges

FAQ

Memberlist

Usergroups

Profile

Preferences

· nixdoc.net

· man pages

· Linux HOWTOs

· FreeBSD Tips

· Forums

Forum index » *nix » BSD » FreeBSD » mail-lists » Architecture

Bridges

Page 1 of 2 [22 Posts]

View previous topic :: View next topic
Goto page: 1, 2 Next

Author

Message

Luigi Rizzo
*nix forums addict

Joined: 07 Apr 2002
Posts: 72

Posted: Sat Sep 24, 2005 11:28 am Post subject: Note

Re: Bridges

i am happy with retiring net/bridge.c in HEAD.

cheers
luigi

On Sat, Sep 24, 2005 at 03:25:06PM +0200, Max Laier wrote:

Quote:

All,

for some time now, we have three bridge implementations in the tree:
- net/bridge.c - the "old" bridge
- net/if_bridge.c - the "new" bridge from Net/OpenBSD
- netgraph/ng_bridge.c - the netgraph version [1]

The new code has several advantages over the old version:
- Spanning Tree Protocol (802.1D)
- better firewall support (IPv6, stateful filtering, ...)
- easy ifconfig( Cool

configuration

while keeping all the functionality that was present in the old code:
- dummynet support
- IPFW L2 support [2]

There have been some benchmarks that suggest that there isn't a performance
issue either, but more numbers are always appreciated. If it turns out that
there is any remaining problem with if_bridge we need to fix it. If you are
running an old bridge on 6.0-BETA try moving to the new code and let us know.

This means the old code is obsolete. In order to keep code duplication down
and not hinder further development (Andre is working on an overhaul of [2]
and would have to do it twice, for example) I would like to retire the old
bridge code soon. This should happen in HEAD only and thus the old bridge
will stay for all of FreeBSD 6 unless more aggressive depreciation is
requested.

Please test the new alternative if you are using the old one still. Let us
know if there are any issues remaining.

Objections against soon retirement of bridge.c in HEAD?

[1] listed for completeness only.

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Peter van Dijk
*nix forums beginner

Joined: 27 Aug 2005
Posts: 2

Posted: Sat Sep 24, 2005 11:35 am Post subject: Note

Re: Bridges

On Sat, Sep 24, 2005 at 03:25:06PM +0200, Max Laier wrote:

Quote:

Objections against soon retirement of bridge.c in HEAD?

One argument in favour of retirement: last time I checked (FreeBSD
6.0-BETA2 I think), bridge.ko is a recipe for instant panic on
sparc64. Although now I wonder whether the same is still true for
ng_bridge.

I'm a happy if_bridge user now :)

Cheers, Peter
--
peter@dataloss.nl | ~ tonight tonight, what is this potion
http://blog.dataloss.nl/ | ~ that makes a fool of me
UnderNet/#clue | Wayfinder, fr-025 soundtrack

Andre Oppermann
*nix forums addict

Joined: 21 Mar 2002
Posts: 55

Posted: Sat Sep 24, 2005 12:47 pm Post subject: Note

Re: Bridges

Max Laier wrote:

Quote:

No objection. if_bridge has surpassed net/bridge.c in features. There
is no compelling reason to carry two bridge implementations forward. It
only creates a unnecessary maintenance burden.

--
Andre
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Scott Long
*nix forums Guru Wannabe

Joined: 16 Jun 2002
Posts: 167

Posted: Sat Sep 24, 2005 1:34 pm Post subject: Note

Re: Bridges

Max Laier wrote:

Quote:

I'm fine with it being removed in HEAD. You should change the docs and
whatever appropriate manpages in 6-STABLE to clearly indicate that it is
deprecated there and may be removed in the future.

Scott
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Peter Jeremy
*nix forums addict

Joined: 13 Jun 2002
Posts: 77

Posted: Sat Sep 24, 2005 5:22 pm Post subject: Note

Re: Bridges

On Sat, 2005-Sep-24 15:25:06 +0200, Max Laier wrote:

Quote:

for some time now, we have three bridge implementations in the tree:
- net/bridge.c - the "old" bridge
- net/if_bridge.c - the "new" bridge from Net/OpenBSD
- netgraph/ng_bridge.c - the netgraph version [1]

The new code has several advantages over the old version:
- Spanning Tree Protocol (802.1D)
- better firewall support (IPv6, stateful filtering, ...)
- easy ifconfig( Cool

configuration

Since I've recently needed it, neither bridge.c nor if_bridge.c allow
you to bridge VLAN trunks (you can bridge individual VLANs but that
becomes unwieldly when you have dozens of VLANs). I have code to do
this in bridge.c.

Quote:

Since if_bridge.c does not exist in FreeBSD 5, and there has not
previously been any suggestion that bridge.c is deprecated, I would
object to the removal of bridge.c from FreeBSD 6 since this would
violate the standard deprecation cycle.

Quote:

Please test the new alternative if you are using the old one still.

Has anyone looked at how difficult it would be to get if_bridge.c to
work in 5.x?

--
Peter Jeremy
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Max Laier
*nix forums beginner

Joined: 21 May 2004
Posts: 30

Posted: Sat Sep 24, 2005 6:38 pm Post subject: Note

Re: Bridges

On Saturday 24 September 2005 21:22, Peter Jeremy wrote:

Quote:

On Sat, 2005-Sep-24 15:25:06 +0200, Max Laier wrote:
for some time now, we have three bridge implementations in the tree:
- net/bridge.c - the "old" bridge
- net/if_bridge.c - the "new" bridge from Net/OpenBSD
- netgraph/ng_bridge.c - the netgraph version [1]

The new code has several advantages over the old version:
- Spanning Tree Protocol (802.1D)
- better firewall support (IPv6, stateful filtering, ...)
- easy ifconfig( Cool

configuration

Since I've recently needed it, neither bridge.c nor if_bridge.c allow
you to bridge VLAN trunks (you can bridge individual VLANs but that
becomes unwieldly when you have dozens of VLANs). I have code to do
this in bridge.c.

Not sure what you mean, but I am sure Andrew Thompson is willing to help
converting your code to if_bridge if asked. BTW, forgot about one big plus
for if_bridge: It is the one true bridge implementation in Net/OpenBSD so
there is a lot of additional "developer power" behind it. Of course one
could argue that code monoculture is a bad thing ... I like to believe
otherwise, however.

Quote:

and would have to do it twice, for example) I would like to retire the old
bridge code soon. This should happen in HEAD only and thus the old bridge
will stay for all of FreeBSD 6 unless more aggressive depreciation is
requested.

Since if_bridge.c does not exist in FreeBSD 5, and there has not
previously been any suggestion that bridge.c is deprecated, I would
object to the removal of bridge.c from FreeBSD 6 since this would
violate the standard deprecation cycle.

No idea what the standard deprecation cycle is, but no problem. I just want
it out of HEAD to be able to move forward with other projects more easily,
such as what Andre is going to do.

Quote:

Please test the new alternative if you are using the old one still.

Has anyone looked at how difficult it would be to get if_bridge.c to
work in 5.x?

See http://people.freebsd.org/~thompsa/ for patches.

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Andrew Thompson
*nix forums beginner

Joined: 24 May 2005
Posts: 11

Posted: Sat Sep 24, 2005 10:22 pm Post subject: Note

Re: Bridges

On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:

Quote:

I'd like to see what you have done here, can I look at the patch.

Quote:

Please test the new alternative if you are using the old one still.

Has anyone looked at how difficult it would be to get if_bridge.c to
work in 5.x?

http://people.freebsd.org/~thompsa/if_bridge-5stable.20050907.diff

Ive posted it for testing before but didnt get a response, care to try
it out?

Andrew
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Maxim Konovalov
*nix forums beginner

Joined: 23 Mar 2004
Posts: 15

Posted: Mon Sep 26, 2005 8:24 am Post subject: Note

Re: Bridges

[...]

Quote:

I'm fine with it being removed in HEAD. You should change the docs and
whatever appropriate manpages in 6-STABLE to clearly indicate that it is

.... and please don't forge about GNATS. There are several bridge.c
specific PRs (kern/57100, kern/82919 etc).

--
Maxim Konovalov
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Yar Tikhiy
*nix forums beginner

Joined: 08 Apr 2003
Posts: 36

Posted: Wed Sep 28, 2005 8:21 am Post subject: Note

Re: Bridges

On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:

Quote:

Couldn't you bridge across the parent, or trunk, physical interfaces
carrying tagged VLAN traffic then? (Of course, hardware support for
VLAN should be turned off on them in that case.)

--
Yar
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Luigi Rizzo
*nix forums addict

Joined: 07 Apr 2002
Posts: 72

Posted: Wed Sep 28, 2005 8:29 am Post subject: Note

Re: Bridges

On Wed, Sep 28, 2005 at 02:21:53PM +0400, Yar Tikhiy wrote:

Quote:

On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:

Since I've recently needed it, neither bridge.c nor if_bridge.c allow
you to bridge VLAN trunks (you can bridge individual VLANs but that
becomes unwieldly when you have dozens of VLANs). I have code to do
this in bridge.c.

Couldn't you bridge across the parent, or trunk, physical interfaces
carrying tagged VLAN traffic then? (Of course, hardware support for
VLAN should be turned off on them in that case.)

yes in fact i was wondering what's wrong with that because
we have been using bridge.c like this for ages now...

cheers
luigi

Quote:

--
Yar
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
_______________________________________________

freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Peter Jeremy
*nix forums addict

Joined: 13 Jun 2002
Posts: 77

Posted: Wed Sep 28, 2005 4:47 pm Post subject: Note

Re: Bridges

On Wed, 2005-Sep-28 03:29:33 -0700, Luigi Rizzo wrote:

Quote:

On Wed, Sep 28, 2005 at 02:21:53PM +0400, Yar Tikhiy wrote:
On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:

Since I've recently needed it, neither bridge.c nor if_bridge.c allow
you to bridge VLAN trunks (you can bridge individual VLANs but that
becomes unwieldly when you have dozens of VLANs). I have code to do
this in bridge.c.

Couldn't you bridge across the parent, or trunk, physical interfaces
carrying tagged VLAN traffic then? (Of course, hardware support for
VLAN should be turned off on them in that case.)

That's actually what I was trying to do.

Quote:

yes in fact i was wondering what's wrong with that because
we have been using bridge.c like this for ages now...

The problem is that the current bridge code only considers the MAC
address for forwarding. When VLANs are in use, this is incorrect as
both the MAC address and VLAN tag must be considered. The difference
is crucial when you have the same MAC address appearing in multiple
VLANs. This can occur when using DECnet Phase IV or Solaris with
Cassini NICs - both of which have a per-host MAC address rather than a
per-NIC MAC address.

As an example, consider a system with a host-based MAC address that
has two NICs. One NIC attaches to VLAN 123 on switch a, the other
attaches to VLAN 124 on switch b [this is the situation we have in our
test lab]. If I then attempt to join trunks from both switches using
bridge(4), it sees the same MAC address on both bridged interfaces and
shuts down. In reality, this situation is safe because the MAC
addresses are in different VLANs.

--
Peter Jeremy
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Wilkinson, Alex
*nix forums beginner

Joined: 21 Apr 2005
Posts: 6

Posted: Wed Sep 28, 2005 9:26 pm Post subject: Note

Re: Bridges

0n Thu, Sep 29, 2005 at 04:47:32AM +1000, Peter Jeremy wrote:

Quote:

On Wed, 2005-Sep-28 03:29:33 -0700, Luigi Rizzo wrote:
On Wed, Sep 28, 2005 at 02:21:53PM +0400, Yar Tikhiy wrote:
On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:

Since I've recently needed it, neither bridge.c nor if_bridge.c allow
you to bridge VLAN trunks (you can bridge individual VLANs but that
becomes unwieldly when you have dozens of VLANs). I have code to do
this in bridge.c.

Couldn't you bridge across the parent, or trunk, physical interfaces
carrying tagged VLAN traffic then? (Of course, hardware support for
VLAN should be turned off on them in that case.)

That's actually what I was trying to do.

yes in fact i was wondering what's wrong with that because
we have been using bridge.c like this for ages now...

The problem is that the current bridge code only considers the MAC
address for forwarding. When VLANs are in use, this is incorrect as
both the MAC address and VLAN tag must be considered. The difference
is crucial when you have the same MAC address appearing in multiple
VLANs. This can occur when using DECnet Phase IV or Solaris with
Cassini NICs - both of which have a per-host MAC address rather than a
per-NIC MAC address.

As an example, consider a system with a host-based MAC address that
has two NICs. One NIC attaches to VLAN 123 on switch a, the other
attaches to VLAN 124 on switch b [this is the situation we have in our
test lab]. If I then attempt to join trunks from both switches using
bridge(4), it sees the same MAC address on both bridged interfaces and
shuts down. In reality, this situation is safe because the MAC
addresses are in different VLANs.

Peter,

What is the difference between a "per-host MAC address" and a "per-NIC
MAC address" ?

- aW
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Yar Tikhiy
*nix forums beginner

Joined: 08 Apr 2003
Posts: 36

Posted: Wed Sep 28, 2005 9:49 pm Post subject: Note

Re: Bridges

On Thu, Sep 29, 2005 at 04:47:32AM +1000, Peter Jeremy wrote:

Quote:

FWIW, this sounds quite reasonable to me. Indeed, there is plenty
of good and not-so-good reasons for the same MAC address to appear
on different VLANs, and it seems a licit case.

--
Yar
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Jeremie Le Hen
*nix forums beginner

Joined: 17 Dec 2004
Posts: 10

Posted: Thu Sep 29, 2005 7:08 am Post subject: Note

Re: Bridges

Hi Yar,

Quote:

Couldn't you bridge across the parent, or trunk, physical interfaces
carrying tagged VLAN traffic then? (Of course, hardware support for
VLAN should be turned off on them in that case.)

Since neither ipfw nor pf can filter on VLAN tag at layer 2, this
could be pretty useful to be able to bridge vlan(4) interfaces together.
For administrative reasons, you may not want to have all the VLANs
living onto a physical network being seen to the other side of the
bridge.

I also know another situation where this can be useful. Once I've been
asked to build a single firewall for a whole rack of servers. These
servers where remotely administrated by customers and therefore we
had no security control over them. Thus we wanted the firewall to
protect the servers from the Internet but also from others round servers,
that may have been defaced. For other reasons, we needed a bridge and
no NAT was possible. The idea was to give each server its own VLAN,
and the firewall bridged them together.

I set up this firewall with Linux, I would be glad to be able to do
so with FreeBSD.

Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Peter Jeremy
*nix forums addict

Joined: 13 Jun 2002
Posts: 77

Posted: Fri Sep 30, 2005 7:56 am Post subject: Note

Re: Bridges

On Thu, 2005-Sep-29 08:44:09 +0930, Wilkinson, Alex wrote:

Quote:

What is the difference between a "per-host MAC address" and a "per-NIC
MAC address" ?

All NICs have a unique MAC address. This address can be over-ridden by
the host if it needs to have the same MAC address appear on multiple
interfaces.

Of the two cases I mentioned: DECnet changes all MAC addresses to one
beginning AA0055 where the low bits are the host's DECnet address.
This removes the need for IP's ARP since the source host can determine
the destination host's MAC address without needing to ask the network.

Some versions of Solaris with some NICs (definitely Solaris 8 with
Cassini NICs) associate a MAC address with the host, rather than the
NIC. I'm less certain of the rationale for this.

--
Peter Jeremy
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Google

Display posts from previous:

Page 1 of 2 [22 Posts]

Goto page: 1, 2 Next
View previous topic :: View next topic

The time now is Thu Jan 08, 2009 9:53 am | All times are GMT

Forum index » *nix » BSD » FreeBSD » mail-lists » Architecture

Jump to:

Topic		Author	Forum	Replies	Last Post
Similar Topics
	Adding one interface to two bridges	demiourgos@gmail.com	networking	2	Sun Oct 09, 2005 10:54 am
	When to burn those bridges	Doug Rabson	Architecture	22	Tue Sep 09, 2003 9:23 am

Guitar Lessons | Web Hosting by Safehosting | Free Photo Storage | Tour Management Software | Loans

Other DeniX Solutions sites: Unix/Linux blog | electronics forum | medicine forum | science forum |

[ Time: 0.5112s ][ Queries: 13 (0.3215s) ][ GZIP on - Debug on ]