>>> "Dobromir" == Dobromir Montauk <dmontauk@rescomp.berkeley.edu> writes:

    Dobromir> It's not.  But my guess  is that the NetBSD VLAN driver,
    Dobromir> like  the Linux driver,  should strip  off the  VLAN tag
    Dobromir> before doing anything else  - for example forwarding the
    Dobromir> packet  through  a   bridge...   

That  is precisely  what's happening.   In  sys/net/if_ethersubr.c the
relevant  function is ether_input(),  around line  703. The  packet is
bridged first, then the vlan header is stripped off around line 754.

    Dobromir> In Linux,  supposedly, there's a special  option to turn
    Dobromir> this "feature" on/off.  I was hoping NetBSD had the same
    Dobromir> thing.

If  we strip  the vlan  header off  before bridging  the  packet, then
bridging under the vlans won't work   -- you can't make a repeater out
of  two NICs  that  will  forward packets  leaving  the 802.1q  header
intact.

If we bridge the packet first then there are three scenarios:

- vlan and vlan as members of a bridge -- this works correctly because
  vlan_input calls  ether_input recursively after it  has stripped the
  header. 
- vlan and ether -- this works correctly as long as tagged packets are
  never recieved on the ether interface.
- ether and ether -- this is the repeater scenario above

It looks  like the scenario you  are running into is  the second, only
tagged  packets  *are*  being   recieved  over  the   regular  ethernet
interface.