Date: Fri, 09 Mar 2007 14:26:45 +0100 From: "Frank Behrens" <frank@pinky.sax.de> To: "Bruce M. Simpson" <bms@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: tap(4) should go UP if opened Message-ID: <200703091326.l29DQkYk008478@pinky.frank-behrens.de> In-Reply-To: <45F15378.3020207@FreeBSD.org> References: <200703091036.l29AawwJ005466@pinky.frank-behrens.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce, thanks for your answer!
Bruce M. Simpson <bms@FreeBSD.org> wrote on 9 Mar 2007 12:30:
> Frank Behrens wrote:
> > How does tun(4) handle this? tun(4) is also set to down, when closed. It is not set to up, when
> > ist is opened, but when an address is assigned by the user process. This is fine, because it
> > needs always an ip address. tap(4) as layer 2 tunnel device does not need an ip address, so
> > setting it up on open is IMHO the best solution.
> >
> This isn't consistent with the other software cloneable interfaces which
> emulate certain layer 2 semantics, e.g. bridge, trunk, vlan; see below.
May be, but we have for tap(4) the possibility to attach a non root user process.
> I recently committed Landon Fuller's code which makes tap and tun
> cloneable interfaces which may then be created via 'ifconfig tap0 create'.
I appreciate that. :-) It was the reason to build a new 6.2 kernel and to try to run the attached
process not as root.
> Automatically setting the interface to IFF_UP is not consistent with the
> semantics for other network interfaces; it requires specific privileges
> (usually super-user or PRIV_NET_SETIFFLAGS in -CURRENT) to do.
My idea is to set it to IFF_UP when the process _opens_ the interface. It can happen only if
1. the process has root provileges OR
2. net.link.tap.user_open=1 AND special rights are set on /dev/tapx
> A more involved patch is needed to do this right for all cases -- we
> should not do this by default.
But when it is useful to open a tap device by a non root process, when the tap is not IFF_UP?
May be my patch had not enough context to see immediately, where it fits into the game. To
make it easier for the reviewers I show the complete function:
/*
* tapopen
*
* to open tunnel. must be superuser
*/
static int
tapopen(struct cdev *dev, int flag, int mode, struct thread *td)
{
struct tap_softc *tp = NULL;
struct ifnet *ifp = NULL;
int error, s;
if (tapuopen == 0) {
error = suser(td);
if (error != 0)
return (error);
}
if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT)
return (ENXIO);
tp = dev->si_drv1;
mtx_lock(&tp->tap_mtx);
if (tp->tap_flags & TAP_OPEN) {
mtx_unlock(&tp->tap_mtx);
return (EBUSY);
}
bcopy(IFP2ENADDR(tp->tap_ifp), tp->ether_addr, sizeof(tp->ether_addr));
tp->tap_pid = td->td_proc->p_pid;
tp->tap_flags |= TAP_OPEN;
ifp = tp->tap_ifp;
mtx_unlock(&tp->tap_mtx);
s = splimp();
ifp->if_drv_flags |= IFF_DRV_RUNNING;
ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
ifp->if_flags |= IFF_UP; /* ------- new line ------ */
splx(s);
TAPDEBUG("%s is open. minor = %#x\n", ifp->if_xname, minor(dev));
return (0);
} /* tapopen */
Regards,
Frank
--
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703091326.l29DQkYk008478>