The original message didn't make it to the tcpdump-workers list. It follows.
---------- Forwarded message ---------- From: Paul Pearce <pea...@cs.berkeley.edu> Date: Mon, Jan 7, 2013 at 4:05 PM Subject: PROBLEM: Software injected vlan tagged packets are unable to be identified using recent BPF modifications To: net...@vger.kernel.org, tcpdump-workers@lists.tcpdump.org Cc: da...@davemloft.net, eduma...@google.com, jpi...@redhat.com, Ani Sinha <a...@aristanetworks.com> Hello folks, PROBLEM: vlan tagged packets that are injected via software are not picked up by filters using recent (kernel commit f3335031b9452baebfe49b8b5e55d3fe0c4677d1) BPF vlan modifications. I suspect this is a problem with the Linux kernel. linux-netdev and tcpdump-workers are both cc'd. BACKGROUND: Kernel commit bcc6d47903612c3861201cc3a866fb604f26b8b2 (Jiri Pirko/David S. Miller) removed vlan headers on rx packets prior to them reaching the packet filters. This broke BPF/libpcap's ability to do kernel-level packet filtering based on vlan tag information (the 'vlan' keyword). Kernel commit f3335031b9452baebfe49b8b5e55d3fe0c4677d1 (Eric Dumazet/David S. Miller, just merged into Linus's tree http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=f3335031b9452baebfe49b8b5e55d3fe0c4677d1) added the ability to use BPF to once again filter based on vlan tags. Related bpf jit commit: http://www.spinics.net/lists/netdev/msg214759.html libpcap (Ani Sinha) recently RFC'd a patch to use Eric/David's BPF modifications to restore vlan filtering to libpcap. http://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg06810.html I'm using this patch and it works. DETAILS: Under these patches vlan tagged packets received from mediam (actual packets from the wire) can be identified based on vlan tag information using the new BPF functionality.This is good. However, raw vlan tagged packets that are *injected* into the interface using libpcap's pcap_inject() (which is just a fancy wrapper for the send() syscall) are not identified by filters using the recent BPF modifications. The bug manifests itself if you attempt to use the new BPF modifications to filter vlan tagged packets on a live interface. All packets from the medium show up, but all injected packets are dropped. Prior to commit bcc6d47 both medium and injected packets could both be identified using BPFs. These injected packets can however still be identified using the previous, now incorrect "offset into the header" technique. Given this, I suspect what's going on is the kernel code path for these injected packets is not setting skb->vlan_tci correctly (at all?). Since the vlan tag is not in the skb data structure the new BPF modifications don't identify the packets as having a vlan tag, despite it being in the packet header. I'm not sure exactly where the bug exists so I'm reaching out to both netdev and tcpdump-workers. Although, as I said, I suspect this is on the kernel side. SOFTWARE: kernel-3.6.11-1.fc16.x86_64, with both kernel commits f3335031b9452baebfe49b8b5e55d3fe0c4677d1 and the related commit http://www.spinics.net/lists/netdev/msg214759.html backported. tcpdump version 4.4.0-PRE-GIT_2013_01_06 (commit 05bf602ef684d5b75c0ac71be04212d909c37834) libpcap version 1.4.0-PRE-GIT_2013_01_06 (commit 713034fc4b3a2c14ae81e44dca34d998db8d0795 with patch specified above) Thanks. -Paul Pearce Security Graduate Student Computer Science University of California, Berkeley _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers