Date: Wed, 23 Feb 2011 14:00:26 GMT From: elof2@sentor.se To: freebsd-net@FreeBSD.org Subject: Re: kern/139268: [if_bridge] [patch] allow if_bridge to forward just VLAN-tagged (or untagged) packets Message-ID: <201102231400.p1NE0QfS016078@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/139268; it has been noted by GNATS. From: elof2@sentor.se To: bug-followup@FreeBSD.org, pak@cns.utoronto.ca Cc: Subject: Re: kern/139268: [if_bridge] [patch] allow if_bridge to forward just VLAN-tagged (or untagged) packets Date: Wed, 23 Feb 2011 14:57:46 +0100 (CET) I'm attaching my semi-related feature request to P Kern's request from 2009. Allow if_bridge to "normalise" frames before sending them to bpf, to simplify (and sometimes correctify) traffic sniffing and network debugging. Question: How do I get in touch with a developer that can make this feature find its way into FreeBSD base? What would it cost me and how soon could it be added? Scenario: I create a bridge0 interface using (one or) multiple parent NICs. Then I sniff the traffic on this cloned NIC, 'tcpdump -nli bridge0 port 80'. Benefit: Multiple NICs are bonded together and can easily be sniffed on ONE interface with ONE sniffer process. Drawback: If the sniffer use a bpf filter like "port 80", and the incoming mirrored traffic consist of a mix of untagged and vlan tagged (802.1q) packets, only the untagged packets will match. To see if there are any www-traffic in the mirrored vlans, one need to change the filter to "vlan and port 80", but then you loose the untagged lan. ...a catch 22. :-( The file sys/net/if_bridge.c prior to revision 186365 (http://svn.freebsd.org/viewvc/base?view=revision&revision=186365) used the function call BPF_MTAP to send a copy of a packet to bpf. Since this gave a stripped packet to the sniffer rather than the full and correct frame, this bug was corrected in revision 186365 using ETHER_BPF_MTAP. My request is simply to have the possibility to override the defaults and do it the "buggy" way again, since this proved to be a great feature rather than a bug. :-) Having a function that simply strips off any vlan tag from tagged packets is wonderful when it comes to sniffing. Especially since switches from all brands behave differently when it comes to SPAN and vlan tags (a SYN packet could be mirrorred untagged while the corresponding SYN+ACK is mirrored with a vlan tag set). It is also quite common that net admins configure uplink ports with multiple vlans AND an untagged lan. When you SPAN this uplink you get both tagged and untagged traffic in a mix, making it hard to work with one bpf filter on the full scope of the received traffic. By normalising the mirrored traffic sent to bpf, a network technician can more easily perform his network debugging. Also, there are less risk of human mistakes due to the lack of insight that he need to use the 'vlan' keyword in his tcpdump/tshark/ngrep/whatever to match the traffic. Also state-keeping tools like snort and argus benefit from normalised traffic since they fail to build a correct state table if the SYN and SYN+ACK belong to two different vlans. My request is that if a sysctl variable (like net.link.bridge.bpf.strip_header) is true, then if_bridge will pass stripped packets to bpf. By default it should naturally pass the full frame. PS. There are only four places in if_bridge.c that need to be updated to something like this, so the actual work to do is pretty simple: if (net.link.bridge.bpf.strip_header == 1) BPF_MTAP(bifp, m); else ETHER_BPF_MTAP(bifp, m); /Elof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102231400.p1NE0QfS016078>