From nobody@FreeBSD.org  Wed Sep 30 23:51:50 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3050C106568B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Sep 2009 23:51:50 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 1E4608FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Sep 2009 23:51:50 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8UNpnxW096463
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Sep 2009 23:51:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n8UNpncW096462;
	Wed, 30 Sep 2009 23:51:49 GMT
	(envelope-from nobody)
Message-Id: <200909302351.n8UNpncW096462@www.freebsd.org>
Date: Wed, 30 Sep 2009 23:51:49 GMT
From: P Kern <pak@cns.utoronto.ca>
To: freebsd-gnats-submit@FreeBSD.org
Subject: patch to allow if_bridge to forward just VLAN-tagged (or untagged) packets
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         139268
>Category:       kern
>Synopsis:       [if_bridge] [patch] allow if_bridge to forward just VLAN-tagged (or untagged) packets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 01 00:00:08 UTC 2009
>Closed-Date:    
>Last-Modified:  Wed Feb 23 14:00:22 UTC 2011
>Originator:     P Kern
>Release:        7.2-RELEASE
>Organization:
University of Toronto  CNS
>Environment:
FreeBSD utcs 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Thu Sep 24 03:59:57 UTC 2009     pak@utcs:/usr/src/sys/i386/compile/BUG  i386

>Description:
This patch to if_bridge(4) allows the use of the 'link0' or 'link1' interface options to control whether the bridge forwards all packets or just packets with VLAN tags or just packets without VLAN tags (vlan 0?).
Use 'ifconfig bridge0 link0' to make a bridge forward only untagged packets, leaving the tagged packets to be forwarded or processed separately, by other bridges or cloned interfaces.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- sys/net/if_bridge.c	2009/09/29 17:20:13	1.1
+++ sys/net/if_bridge.c	2009/09/29 17:45:14
@@ -2109,6 +2109,16 @@
 		return (m);
 
 	bifp = sc->sc_ifp;
+
+	if (m->m_flags & M_VLANTAG) {	/* packet has a valid VLAN tag */
+		if (bifp->if_flags & IFF_LINK0)
+			/* LINK0 == only bridge untagged packets. skip VLANs. */
+			return (m);
+	}
+	else if (bifp->if_flags & IFF_LINK1) {
+		/* LINK1 == only bridge VLAN-tagged packets. skip untagged. */
+		return (m);
+	}
 	vlan = VLANTAGOF(m);
 
 	/*
--- share/man/man4/if_bridge.4	2009/09/30 23:02:12	1.1
+++ share/man/man4/if_bridge.4	2009/09/30 23:24:25
@@ -126,6 +126,23 @@
 stream.
 This is useful for reconstructing the traffic for network taps
 that transmit the RX/TX signals out through two separate interfaces.
+.Pp
+The
+.Nm
+driver also supports two special link options:
+.Bl -tag -width link0
+.It Cm link0
+Forward only those packets that do
+.Cm not
+contain valid VLAN tags (ie. packets in vlan 0).
+This allows VLAN-tagged packets to be bridged or processed separately.
+.El
+.Bl -tag -width link1
+.It Cm link1
+Forward only those packets that do contain valid VLAN tags.
+This is the complement of
+.Cm link0.
+.El
 .Sh SPANNING TREE
 The
 .Nm


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Oct 1 06:36:57 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=139268 

From: elof2@sentor.se
To: bug-followup@FreeBSD.org, pak@cns.utoronto.ca
Cc:  
Subject: Re: kern/139268: [if_bridge] [patch] allow if_bridge to forward just
 VLAN-tagged (or untagged) packets
Date: Wed, 23 Feb 2011 14:57:46 +0100 (CET)

 I'm attaching my semi-related feature request to P Kern's request from 
 2009.
 
 Allow if_bridge to "normalise" frames before sending them to bpf, to 
 simplify (and sometimes correctify) traffic sniffing and network 
 debugging.
 
 
 
 Question:
 How do I get in touch with a developer that can make this feature find 
 its way into FreeBSD base? What would it cost me and how soon could it be 
 added?
 
 
 
 
 Scenario:
 I create a bridge0 interface using (one or) multiple parent NICs. Then I
 sniff the traffic on this cloned NIC, 'tcpdump -nli bridge0 port 80'.
 
 Benefit:
 Multiple NICs are bonded together and can easily be sniffed on ONE
 interface with ONE sniffer process.
 
 Drawback:
 If the sniffer use a bpf filter like "port 80", and the incoming mirrored 
 traffic consist of a mix of untagged and vlan tagged (802.1q) packets, 
 only the untagged packets will match. To see if there are any www-traffic 
 in the mirrored vlans, one need to change the filter to "vlan and port 
 80", but then you loose the untagged lan.   ...a catch 22. :-(
 
 
 
 The file sys/net/if_bridge.c prior to revision 186365 
 (http://svn.freebsd.org/viewvc/base?view=revision&revision=186365) used 
 the function call BPF_MTAP to send a copy of a packet to bpf. Since this 
 gave a stripped packet to the sniffer rather than the full and correct frame, 
 this bug was corrected in revision 186365 using ETHER_BPF_MTAP.
 
 My request is simply to have the possibility to override the defaults 
 and do it the "buggy" way again, since this proved to be a great feature 
 rather than a bug. :-)
 
 
 
 Having a function that simply strips off any vlan tag from tagged packets
 is wonderful when it comes to sniffing. Especially since switches from all
 brands behave differently when it comes to SPAN and vlan tags (a SYN 
 packet could be mirrorred untagged while the corresponding SYN+ACK is 
 mirrored with a vlan tag set). It is also quite common that net admins 
 configure uplink ports with multiple vlans AND an untagged lan. When you 
 SPAN this uplink you get both tagged and untagged traffic in a mix, making 
 it hard to work with one bpf filter on the full scope of the received 
 traffic.
 
 By normalising the mirrored traffic sent to bpf, a network technician can
 more easily perform his network debugging. Also, there are less risk of
 human mistakes due to the lack of insight that he need to use the
 'vlan' keyword in his tcpdump/tshark/ngrep/whatever to match the traffic. 
 Also state-keeping tools like snort and argus benefit from normalised 
 traffic since they fail to build a correct state table if the SYN and 
 SYN+ACK belong to two different vlans.
 
 
 My request is that if a sysctl variable (like
 net.link.bridge.bpf.strip_header) is true, then if_bridge will pass
 stripped packets to bpf. By default it should naturally pass
 the full frame.
 
 
 
 PS. There are only four places in if_bridge.c that need to be updated to
 something like this, so the actual work to do is pretty simple:
    if (net.link.bridge.bpf.strip_header == 1)
      BPF_MTAP(bifp, m);
    else
      ETHER_BPF_MTAP(bifp, m);
 
 /Elof
>Unformatted:
