Re: Changes to VLAN and promiscuous mode in 6.6

2019-11-03 Thread David Gwynne 
Hey,

This should be fixed in current as of r1.199 of src/sys/net/if_vlan.c

Sorry for the inconvenience.

Cheers,
dlg

> On 29 Oct 2019, at 19:49, Zé Loff  wrote:
> 
> 
> Hi all
> 
> Some changes in VLAN-related code went into 6.6 and I think some of them
> changed the way the parent interface gets into promiscuous mode.  Let me
> try to explain...
> 
> Our ISP provides internet and VoIP over two separate VLANs (100 and 101,
> respectively).  Our external firewall has two physical interfaces re0,
> and re1, and also does the filtering and NATing for internet, but VoIP
> traffic is transparently forwarded to the VoIP phone.  So it's something
> like this:
> 
> GPON -> re0 -+--> vlan100  -> (PF/NAT) -> vlan90   -+-> re1 -> A switch
>  \-> vlan1010 -> bridge1  -> vlan1011 -/
> 
> The VoIP phone connected to the switch, which does all the appropriate
> tagging and untagging.  re0 and re1 have no IP addresses, neither do the
> vlan1010, vlan1011 and bridge1 virtual interfaces.  The VoIP phone gets
> configured by DHCP, and gets its address (and etc) from the ISP.  All
> interfaces are up, and correctly configured (ifconfigs below).  This
> worked fine up until the 6.6 upgrade.
> 
> Now, if things are left alone, the phone fails to get DHCP replies.
> This can be checked by running "tcpdump -i re1 vlan 101", which clearly
> shows the DHCP requests coming from the phone, but getting no replies.
> Exactly the same is seen on vlan1011 and vlan1010 (i.e. on both sides of
> the bridge1): DHCP requests but no replies.  If tcpdump is run on re0
> ("tcpdump -i re0 vlan 101") then the interface goes into promiscuous
> mode and the DHCP replies start flowing from the ISP and the phone
> finally gets configured.  Crucially, if the "-p" flag is added to
> tcpdump (i.e. not putting the if in promiscuous mode), DHCP fails.
> 
> Is this behaviour intended and, if so, can re0 be configured to stay in
> promiscuous mode without having to do something silly as tcpdump'ing
> into /dev/null?
> 
> Thanks in advance
> Zé
> 
> -- 
> 
> # ifconfig -A
> lo0: flags=8049 mtu 32768
>index 5 priority 0 llprio 3
>groups: lo
>inet6 ::1 prefixlen 128
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
>inet 127.0.0.1 netmask 0xff00
> re0: flags=8b43 mtu 
> 1500
>lladdr 00:0d:b9:3c:b0:e8
>index 1 priority 0 llprio 3
>media: Ethernet autoselect (1000baseT full-duplex,master)
>status: active
> re1: flags=8843 mtu 9100
>lladdr 00:0d:b9:3c:b0:e9
>index 2 priority 0 llprio 3
>media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>status: active
> re2: flags=8802 mtu 1500
>lladdr 00:0d:b9:3c:b0:ea
>index 3 priority 0 llprio 3
>media: Ethernet autoselect (10baseT half-duplex)
>status: no carrier
> enc0: flags=0<>
>index 4 priority 0 llprio 3
>groups: enc
>status: active
> bridge1: flags=41
>index 6 llprio 3
>groups: bridge
>priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
>vlan1011 flags=3
>port 11 ifpriority 0 ifcost 0
>vlan1010 flags=3
>port 10 ifpriority 0 ifcost 0
>Addresses (max cache: 100, timeout: 240):
>00:00:5e:00:01:c9 vlan1010 1 flags=0<>
>80:5e:c0:12:3f:80 vlan1011 1 flags=0<>
> vlan100: flags=808843 mtu 
> 1500
>lladdr 00:0d:b9:3c:b0:e8
>description: WAN
>index 9 priority 0 llprio 3
>encap: vnetid 100 parent re0 txprio packet rxprio outer
>groups: vlan egress
>media: Ethernet autoselect (1000baseT full-duplex,master)
>status: active
>inet 148.69.164.57 netmask 0xfc00 broadcast 148.69.167.255
>inet 148.69.143.1 netmask 0xfffc broadcast 148.69.143.3
> vlan1010: flags=8943 mtu 1500
>lladdr 00:0d:b9:3c:b0:e8
>description: VoIP WAN
>index 10 priority 0 llprio 3
>encap: vnetid 101 parent re0 txprio packet rxprio outer
>groups: vlan
>media: Ethernet autoselect (1000baseT full-duplex,master)
>status: active
> vlan1011: flags=8943 mtu 1500
>lladdr 00:0d:b9:3c:b0:e9
>description: VoIP DMZ
>index 11 priority 0 llprio 3
>encap: vnetid 101 parent re1 txprio packet rxprio outer
>groups: vlan
>media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>status: active
> vlan90: flags=8843 mtu 9000
>lladdr 00:0d:b9:3c:b0:e9
>description: DMZ
>index 14 priority 0 llprio 3
>encap: vnetid 90 parent re1 txprio packet rxprio outer
>groups: vlan
>media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>status: active
>inet 10.17.16.1 netmask 0xfe00 broadcast 10.17.17.255
> pflog0: flags=141 mtu 33136
>index 15 priority 0 llprio 3
>groups: pflogDear sirs
> 
> 
>

Changes to VLAN and promiscuous mode in 6.6

2019-10-29 Thread Zé Loff 


Hi all

Some changes in VLAN-related code went into 6.6 and I think some of them
changed the way the parent interface gets into promiscuous mode.  Let me
try to explain...

Our ISP provides internet and VoIP over two separate VLANs (100 and 101,
respectively).  Our external firewall has two physical interfaces re0,
and re1, and also does the filtering and NATing for internet, but VoIP
traffic is transparently forwarded to the VoIP phone.  So it's something
like this:

GPON -> re0 -+--> vlan100  -> (PF/NAT) -> vlan90   -+-> re1 -> A switch
  \-> vlan1010 -> bridge1  -> vlan1011 -/

The VoIP phone connected to the switch, which does all the appropriate
tagging and untagging.  re0 and re1 have no IP addresses, neither do the
vlan1010, vlan1011 and bridge1 virtual interfaces.  The VoIP phone gets
configured by DHCP, and gets its address (and etc) from the ISP.  All
interfaces are up, and correctly configured (ifconfigs below).  This
worked fine up until the 6.6 upgrade.

Now, if things are left alone, the phone fails to get DHCP replies.
This can be checked by running "tcpdump -i re1 vlan 101", which clearly
shows the DHCP requests coming from the phone, but getting no replies.
Exactly the same is seen on vlan1011 and vlan1010 (i.e. on both sides of
the bridge1): DHCP requests but no replies.  If tcpdump is run on re0
("tcpdump -i re0 vlan 101") then the interface goes into promiscuous
mode and the DHCP replies start flowing from the ISP and the phone
finally gets configured.  Crucially, if the "-p" flag is added to
tcpdump (i.e. not putting the if in promiscuous mode), DHCP fails.

Is this behaviour intended and, if so, can re0 be configured to stay in
promiscuous mode without having to do something silly as tcpdump'ing
into /dev/null?

Thanks in advance
Zé

-- 

# ifconfig -A
lo0: flags=8049 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
re0: flags=8b43 mtu 
1500
lladdr 00:0d:b9:3c:b0:e8
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
re1: flags=8843 mtu 9100
lladdr 00:0d:b9:3c:b0:e9
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
re2: flags=8802 mtu 1500
lladdr 00:0d:b9:3c:b0:ea
index 3 priority 0 llprio 3
media: Ethernet autoselect (10baseT half-duplex)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
bridge1: flags=41
index 6 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
vlan1011 flags=3
port 11 ifpriority 0 ifcost 0
vlan1010 flags=3
port 10 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
00:00:5e:00:01:c9 vlan1010 1 flags=0<>
80:5e:c0:12:3f:80 vlan1011 1 flags=0<>
vlan100: flags=808843 mtu 1500
lladdr 00:0d:b9:3c:b0:e8
description: WAN
index 9 priority 0 llprio 3
encap: vnetid 100 parent re0 txprio packet rxprio outer
groups: vlan egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 148.69.164.57 netmask 0xfc00 broadcast 148.69.167.255
inet 148.69.143.1 netmask 0xfffc broadcast 148.69.143.3
vlan1010: flags=8943 mtu 1500
lladdr 00:0d:b9:3c:b0:e8
description: VoIP WAN
index 10 priority 0 llprio 3
encap: vnetid 101 parent re0 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
vlan1011: flags=8943 mtu 1500
lladdr 00:0d:b9:3c:b0:e9
description: VoIP DMZ
index 11 priority 0 llprio 3
encap: vnetid 101 parent re1 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
vlan90: flags=8843 mtu 9000
lladdr 00:0d:b9:3c:b0:e9
description: DMZ
index 14 priority 0 llprio 3
encap: vnetid 90 parent re1 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.17.16.1 netmask 0xfe00 broadcast 10.17.17.255
pflog0: flags=141 mtu 33136
index 15 priority 0 llprio 3
groups: pflogDear sirs


# dmesg

OpenBSD 6.6 (GENERIC.MP) #372: Sat Oct 12 10:56:27 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2098511872 (2001MB)
avail mem = 2022256640 (1928MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7e16d820 (6 entries)
bios0: vendor