new FreeBSD bridge(4) review: “bridge: add defvlanfilter and defuntagged options" reviews.freebsd.org/D51176

this lets you do:

$ ifconfig bridge0 defvlanfilter defuntagged 1

... which causes all newly-added member interfaces to have VLAN filtering enabled and be in VLAN 1 (only).

then your VM/jail management tools (vm-bhyve, …) can continue using 'ifconfig addm' to add bridge members and don't need to know about VLAN configuration.

fun fact: this is how most people expect bridge(4) to work already, but it is not how bridge works already! in reality, all bridge members have access to all VLANs by default, and before VLAN filtering there was no way to restrict this at all.

i wonder how many systems accidentally allow jails/VMs to access their host management VLAN because of this?

for that reason (among others) i'd like to make this the default configuration of bridge(4) in a future version... 15.0 may be too early, though. but we should document this better.

#freebsd