[Bro] bridge interface vs. bpf bonding (patch?) on FreeBSD 6.1

Matt Cuttler mcuttler at bnl.gov
Tue Oct 24 19:24:51 PDT 2006 

Ennobled bro users and developers,

I'm looking for some clarification on the use of bro and multiple
interfaces.

FreeBSD 6.1 machine with two em* (Intel 1000 fibre) interfaces. Each
interface's RX port is connected to one of the two TX ports on a
regenerative tap.

Bro.cfg was originally configured as:
BRO_CAPTURE_INTERFACE="em0 em1"

Additionally, we tried enabling and disabling:
BRO_BPFBOND_ENABLE="YES"
and
BRO_BPFBOND_FLAGS="em0 em1"

In all cases above, we got indications that this configuration was not
correct, and that bro might not be getting all of the traffic across
both interfaces properly (see example #1 below, with content gaps in the
smtp log).

We then set up a bond interface:
ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 up
..and changed our bro.cfg to:
BRO_CAPTURE_INTERFACE="bond0"
BRO_BPFBOND_ENABLE="NO"

This seems to work properly now; at least we no longer get content gaps
logged to the smtp log (see example #2 below).

My questions are: Is this (bridge device method) the "right" way to
handle multiple interfaces for my hardware/software? The documentation
mentions kernel patches to enable bpf bonding on FreeBSD 4.1. Is this
not necessary on later FreeBSD releases?

Thanks,
Matt Cuttler

===
example #1, using em0 and em1:
1.2.3.4/1880 > 5.6.7.8/smtp start internal
1.2.3.4/1880 > 5.6.7.8/smtp: unexpected: content gap: \
  seq = 30, len = 33
1.2.3.4/1880 < 5.6.7.8/smtp: unusual command/reply: \
  (UNKNOWN)() --> 250(OK)
1.2.3.4/1880 > 5.6.7.8/smtp: unexpected: unexpected \
  command: RCPT reply = 0 state = 12
1.2.3.4/1880 < 5.6.7.8/smtp: unexpected: content gap: \
  seq = 139, len = 14
1.2.3.4/1880 < 5.6.7.8/smtp: unexpected: content gap: \
  seq = 153, len = 14
1.2.3.4/1880 < 5.6.7.8/smtp: unusual command/reply: \
  (UNKNOWN)() --> 250(Accepted)
1.2.3.4/1880 > 5.6.7.8/smtp: unexpected: unexpected \
  command: DATA reply = 0 state = 12
1.2.3.4/1880 > 5.6.7.8/smtp: unexpected: content gap: \
  seq = 149, len = 1460
1.2.3.4/1880 > 5.6.7.8/smtp: unexpected: content gap: \
  seq = 1609, len = 1697
1.2.3.4/1880 < 5.6.7.8/smtp: unexpected: content gap: \
  seq = 237, len = 28
1.2.3.4/1880 < 5.6.7.8/smtp: unusual command/reply: \
  (UNKNOWN)() --> 221(mail.host.net closing connection)
finish
===

===
Example #2, using bond0:

1.2.3.4/19100 > 5.6.7.8/smtp start external
recipient: <user at email.address>
finish

===

More information about the Bro mailing list