Project

General

Profile

Bug #6580

Bridge with down member interface sends ICMP unreachables where it shouldn't

Added by Chris Buechler almost 5 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
07/05/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.3.x
Affected Architecture:

Description

Take the scenario of:
LAN: bridge0
OPT1: igb1
OPT2: igb2

where bridge0 has igb1 and igb2 members. The LAN IP subnet is on the bridge, the member interfaces have no IPs themselves. This may also apply to other circumstances, this is just one I know for sure is impacted.

If igb1 or 2 are down, no carrier, then traffic coming in via OpenVPN elicits an ICMP unreachable in response. The IP in question is in the ARP cache and the bridge's address table correctly. Egress traffic across the same VPN works no problem. These circumstances all worked in 2.2.x and earlier, this is a regression somewhere new in FreeBSD 10.3 base OS.

The workaround is to either link up the NIC, or remove the down NIC from the bridge.

It may affect circumstances other than ingress OpenVPN traffic, though that one seems to be the scenario that's been reported. This thread for instance:
https://forum.pfsense.org/index.php?topic=112912.0

as well as Ice-9's boat firewall in a similar circumstance as that thread describes.

Also available in: Atom PDF