Date: Fri, 29 Dec 2006 10:59:53 -0800 From: Julian Elischer <julian@elischer.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: Max Laier <max@love2party.net>, Andre Oppermann <andre@freebsd.org>, freebsd-net@freebsd.org Subject: Re: [was] addition to ipfw (read vlans from bridge).. Message-ID: <459565A9.201@elischer.org> In-Reply-To: <20061229090556.GD76083@comp.chem.msu.su> References: <457DCD47.5090004@elischer.org> <200612120045.41425.max@love2party.net> <4583119B.20608@elischer.org> <200612160446.02644.max@love2party.net> <4584CE0C.3020307@elischer.org> <458C426A.9060604@elischer.org> <20061224093951.GD49045@comp.chem.msu.su> <459032EA.1030601@elischer.org> <20061226061610.GD81280@comp.chem.msu.su> <459177B0.2030006@elischer.org> <20061229090556.GD76083@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Yar Tikhiy wrote:
> On Tue, Dec 26, 2006 at 11:27:44AM -0800, Julian Elischer wrote:
>> Yar Tikhiy wrote:
>>
>>>> If what you are suggesting is that we pass into ipfw an 'offset'
>>>> into the packet as well as the packet, then yes I like that idea,
>>>> but I didn't see Andre suggest it.
>>> Do you consider only ideas by Andre? ;-) By Andre's opinion I
>>> meant this:
>>>
>>> Please have the ipfw code examine the vlan tag in the mbuf instead of
>>> fiddling with the mbuf contents.
>> At the moment I plan the ipfw code to be unaware of vlan headers.
>> the plan is:
>> Add an argument to ipfw which is the offset in the packet where
>> the IP header may be found. Change the L2 users of ipfw to
>> leave the packet alone, but calculate the correct offset to pass to
>> ipfw. IPFW will make no assumptions as to what packet contents come
>> before the offset. Bridge and L2 callers of ipfw will
>> set the offset to non-0 values where the IP callers will set it to
>> 0. The non IP callers may make some MAC information available to the
>> ipfw code my some separate method, as it does at the moment. How this
>> is done will depend if we want to support Q-n-Q, and if so, how much..
>
> Sounds very resonable to me.
>
>>> If we want ipfw to know of L2, then examining the VLAN tag in it
>>> is OK. If not really, then ipfw (or any pfil filter) can get just
>>> the offset of IP.
>> What vlan tag? what if it's from an interface with no VLAN capacity..
>> What we need to do is make a convention so that vlan tags are always
>> created at the lowest layer, even if HW vlan tagging is not supported,
>> so that all packets look as if they have come from HW capable packets,
>> and add code so that all non WH capable interfaces interpret Van tags at
>> the lowest level, that way vlan packets always look the same.
>
> It depends. As of now, a network interface driver passes up, e.g.,
> to ether_input(), just what it has got. I.e., a driver in VLAN_HWTAG
> mode reads the tag from a hardware register and stores it in
> m_pkthdr.ether_vtag while a driver unaware of VLANs just passes up
> an 802.1q tagged frame it received. Perhaps it's ether_input() that
> should fix the things up for us so that we don't have to modify every
> VLAN-ignorant driver.
>
> However, converting the in-band tag to the out-of-band tag will
> take 1 m_pullup() call and 1 bcopy() call and 1 m_adj() call per
> tagged frame received:
but that gets done anyhow later when we convert it..
>
> if ((m->m_flags & M_VLANTAG) == 0) {
> m_pullup(m, sizeof(struct ether_vlan_header));
> evh = mtod(m, struct ether_vlan_header *);
if (evh->evl_ncap_proto == ETHERTYPE_VLAN) {
> m->m_pkthdr.ether_vtag = ntohs(evh->evl_tag);
> m->m_flags |= M_VLANTAG;
> bcopy((char *)evh, (char *)evh + ETHER_VLAN_ENCAP_LEN,
> ETHER_HDR_LEN - ETHER_TYPE_LEN);
> m_adj(m, ETHER_VLAN_ENCAP_LEN);
}
> }
>
> Now I cannot tell if there will be a noticable impact on performance
> relative to the approach when we just do things conditionally
> depending on M_VLANTAG being set or unset, e.g.:
>
> if (m->m_flags & M_VLANTAG) {
> tag = m->m_pkthdr.ether_vtag;
> } else {
> m_pullup(m, sizeof(struct ether_vlan_header));
> evh = mtod(m, struct ether_vlan_header *);
> tag = ntohs(evh->evl_tag);
> }
> /* now do things based on tag, e.g., filtering... */
>
>>> Infinity. Why to introduce such a hard limit?
>>
>> Because an infinite limit complicates things?
>
> Not necessarily. It depends on what we are trying to do with the
> tags. E.g., if we want to find the IP header offset, computing it
> by skipping over an unlimited number of VLAN headers won't be more
> complex than skipping over just 1-2 of them as we need a loop
> already.
2 is not a loop if they are different.. note that the standard
talks about 2 different ethertypes. Also how do we currently
cope with multiple vlan tags considering that Andre has just
incorporated a single vlan tag into the mbuf? (and what happens
if we use old mtags and have multiple vlan tags? it is not defined what
happens when there are multiple mtags with the same type. How do you
get the 2nd one?)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459565A9.201>