kern/48971: ICMP redirects should not be issued for active bridge

[darrenr%netbsd.org@localhost]

>Number:         48971
>Category:       kern
>Synopsis:       ICMP redirects should not be issued for active bridge
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 07 16:35:00 +0000 2014
>Originator:     Darren Reed
>Release:        NetBSD 6.1_STABLE
>Organization:
NetBSD
>Environment:
        
        
System: NetBSD homeworld.netbsd.org 6.1_STABLE NetBSD 6.1_STABLE (NBMAIL) #0: 
Tue Jun 10 18:49:40 UTC 2014 
spz%franklin.NetBSD.org@localhost:/home/netbsd/6/amd64/obj/sys/arch/amd64/compile/NBMAIL
 amd64
Architecture: x86_64
Machine: amd64
>Description:
See http://mail-index.netbsd.org/tech-net/2014/07/05/msg004689.html

NetBSD is issuing ICMP redirects for packets that should never be finding
their way into the IP input code path when bridging is enabled.

This may be because the configuration where a network interface that has
an IP address assigned to it being added to a bridge is unsupported. If
so then this is not documented.
>How-To-Repeat:
Using ESXi as the host for a NetBSD VM, if I grant the NetBSD VM the ability
to engage promiscuous mode then doing this:
ifconfig bridge0 create
brconfig bridge0 add wm0
... where wm0 has an IP address assigned is enough to start the VM
generating redirects for packets that it should not (use tcpdump to
observe.) Adding another interface to the bridge with "brconfig bridge0
add wm1" does not fix the ICMP redirect problem.
>Fix:
        

>Unformatted: