[ENHANCEMENT] --vlan switch

[2Belette]

Is your feature request related to a problem? Please describe.
Today, there is no automated way to created one (or multiple) VLAN interfaces in a jail created by Bastille.
This becomes even more interesting when the support of adding multiple interfaces in jails will be available.

Describe the solution you'd like
--vlan VLANID during create or network operations would add a vnetX.VLANID to the jail

Example :
doas bastille create -B -V test 14.2-RELEASE 10.10.20.21/24 --vlan 20 vswitch_lan

Would generate a rc.conf with :

ifconfig_vnet1="up" # see my note below
ifconfig_e1b_test_name="vnet1"
vlans_vnet1="20"
ifconfig_vnet1_20=" inet 10.10.20.21/24 "

And would create vnet1.20 interface to the jail

Note : I realized that if I don't explicitly bring the main interface (in my example, vnet1) where the VLAN interface is built from, there is no connectivity on the vnet1.20 interface as the main interface is down. This would need to be tested from someone else to confirm that I am not hitting a one-off issue.

Additional context
Something to consider after a large number of testings : I was not able to get connectivity through the VLAN interface, this is not related to Bastille, but just to share my findings as this can occur to others.

I realized that the traffic is coming out from the jail to the bridge and to the external network correctly but the traffic is never coming back to the jail.

I ran tcpdump and external packet capture (with physical probe) from multiple points of measure on my network : ARP Requests are seen and sent over (jail, epair bridge, physical NIC connected to the bridge and to the external network) . ARP Replies are seen/sent from my external inter-VLAN router but never seen by tcpdump ran on the bridge nor the physical interface attached to the bridge (em0 on my side) nor on the epair interface ! BUT seen by a TAP (Test Access Point) connected to an external probe tapping the same em0 interface !

I thought I was originally hitting a known bug on ARP and VLAN/Jails but when I add manually the router MAC/IP address to the jail ARP table the other type of traffic had the same issue (ICMP on my test) ICMP Requests seen all over the paths but the Replies disappeared on my host.

The kernel is silently deleting all the tagged traffic reaching em0/physical interface on the bridge.
To confirm, I manually created a VLAN interface to the same host bridge and put an IP address and was able to successfully get connectivity.

My host what Bastille documentation is suggesting :

net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_member=0

To fix the issue, a em0.20 (on my case) has to be created on the host (not putting any IP address) and it is enough to receive tagged traffic back from the external world.

This seems to be specific to BSD as I don't have the same behavior on Linux world, I may open a ticket to FreeBSD

[tschettervictor]

#899

[tschettervictor]

Merged.