# if_bridge - stripping off 802.1q vlan tags



## elof (Feb 17, 2011)

I don't know if this is a bug or drastically changed functionality regarding 802.1q tags.

Something in if_bridge (or some other part of the packet processing) seem to have changed between FreeBSD 6.4 and 7.3. Vlan tags are no longer stripped off!


Scenario:
I create a bridge0 interface on a FreeBSD 6.4 machine using one or multiple parent NICs. Then I sniff traffic on this cloned NIC.

There are two results:
* multiple NICs are bonded together and can be easily sniffed on ONE interface
* the sniffer will always receive plain ethernet frames without any 802.1q vlan tags

If I sniff directly on the parent NIC(s), I see vlan-tagged packets and ordinary untagged packets in a mix, which is bad.

In essence, creating the bridge0 NIC solve the problem where a mirrored SYN packet might be untagged while the SYN-ACK in the other direction is tagged (HP switches usually mirror traffic this awkward way).
If I run tcpdump with the bpf filter 'tcp', it will only match the SYN and not the SYN-ACK, since 'tcp' implies an IP in an ordinary ethernet frame, while the SYNACK is a VLAN-frame.
In order to filter out the SYN-ACK, I need the bpf filter 'vlan and tcp', but then I loose the SYN packet.    ...catch 22... :\

By pointing tcpdump towards the bridge0 NIC, the filter 'tcp' will show both directions of the connection (SYN and SYN-ACK). 


Now, the problem is that FreeBSD 7.3 (and possibly earlier versions, haven't tried them) don't behave the same as v6.4.
With the same configuration, tcpdump now receive vlan-tagged frames on bridge0 where I expect 100% untagged packets. 


Configuration to create the vlan-tag-free sniffer NIC "mon0":

```
ifconfig_bge1="up -arp"
  cloned_interfaces="bridge0"
  ifconfig_bridge0="up addm bge1 -discover bge1 -learn bge1 private bge1 \
                    maxaddr 1 -arp monitor name mon0"
```
Notes:
bge1 is connected to a SPAN port on a HP switch. I disable arp as a security measure.
I rename bridge0 to mon0 for human readability. I disable all kinds of learning on the bridge since it should never in fact forward any traffic.
Finally I run the cloned NIC in monitor mode to drop all packets directly after the bpf stage.



Do you know how to fix this the way it used to work?
...or some other way to simply strip off the 802.1q tag on incoming traffic (leaving untagged packets untouched)... The lesser performance impact the better.


----------



## SirDice (Feb 17, 2011)

I don't have much experience with this but you should probably bridge the vlan interfaces not the 'parent' interface.


----------



## elof (Feb 17, 2011)

No, I don't want to create tens or hundreds of vlan interfaces and bridge them together.
I used that approach on FreeBSD 6.2 and earlier, before the possibility to just strip off *any* vlan tag. The biggest problem then was that every time someone in the network created a new VLAN, I had to update the configuration on the sniffer and add a new vlan NIC.

In 6.4 all you need to do is to create a bridge0, and it will automatically strip off any vlan tags in received packets from the parent NIC.

That's what I want back in 7.3.


----------



## SirDice (Feb 17, 2011)

I think you actually relied on a bug....

http://svn.freebsd.org/viewvc/base?view=revision&revision=186365

As far as I know if_bridge doesn't do anything with vlan tags. It only looks at the source and destination MAC addresses and forwards packets unaltered. Even looking at the source code in the 6.x tree doesn't show anything related to if_bridge stipping off VLAN tags.


----------



## elof (Feb 17, 2011)

Heh. Indeed.

Hmmm, I wonder if I (an amateur programmer) could make out the difference between the old kernel and the new one, and make a patch to get a new if_bridge.ko to do the magic for me. Probably not, since the module has undergone vast changes during the last year. :\


----------



## aragon (Feb 18, 2011)

It sounds like the bug is in your switch, not if_bridge...


----------



## elof (Feb 18, 2011)

Yes. In lots of switches all over the world.
Also a very common scenarios is where the mirrored traffic consist of a few vlans AND an untagged lan.
It is very convenient to simply strip off any vlan tags from that traffic in order to normalise the packets.
Once normalised, a sniffer daemon can use a bpf filter like "port 80" to find www-traffic in both the untagged and the tagged traffic simultaneously. (otherwise "port 80" would only match www-traffic in the untagged portion of the mirrored traffic, and the filter "vlan and port 80" would math the rest).

That's why the bug in 6.4 was really a feature and something that you should be able to configure.

Is there a way to get in contact with Jason R. Thorpe or Andrew Thompson to ask if they could add a sysctl flag that let the user configure wether if_bridge should pass the full frame (ETHER_BPF_MTAP) or a stripped frame (BPF_MTAP) to bpf?

<thorpej@wasabisystems.com> = nonexistent address.
<thompsa@FreeBSD.org>  FreeBSD people don't really check these inboxes, do they?


----------



## SirDice (Feb 18, 2011)

I think the best way forward is to address this on the freebsd-net@ mailinglist.


----------



## elof (Feb 18, 2011)

I agree. Will try there.


----------

