WAN DHCP6 VLAN Priority tagging

franco · December 29, 2017, 05:10:00 PM

Ok here is the rub-in:

The vlan_mtag_pcp sysctl is only used twice.

https://github.com/opnsense/src/blob/master/sys/net/if_vlan.c#L1105

This is the first usage spot that checks wether a PCP was stored, also via pf. It does not allocate.

https://github.com/opnsense/src/blob/master/sys/net/if_vlan.c#L1211

And this second spot tries to preserve the PCP from a packet where the actual allocations take place.

Circling back to the description, it mentions the allocations:

https://github.com/opnsense/src/blob/master/sys/net/if_vlan.c#L160

So the value protects agains performance degradation for allocations and frees, but in the end that only pertains to the second spot which causes these allocations. Even more so, if pf made allocations, the free happens anyway, so the performance is already lost.

My preference would be to kill the first conditional so that pf modifications work always, which won't make 18.1-RC1, but there is still time for 18.1-RC2 or 18.1. That adds a list traversal overhead, but I don't see how this patch wouldn't be accepted by FreeBSD unless they want to go the other route and protect "set prio" in pf with that same sysctl (I can't see how).

This would eliminate the need for fiddling with the sysctl at all.

What do you think?

Cheers,
Franco

marjohn56 · December 29, 2017, 05:19:56 PM

I would go with whatever you think is best.

As I am adding the GUI for this option, maybe the solution is to set it to one ONLY IF this type of situation occurs, there will be a flag that will be set in the config, that could be read and the value set to 1 then.

franco · December 29, 2017, 05:27:35 PM

The problematic bit is that we're generating a side-effect while unclogging "set prio" with the sysctl:

"While uncommon, it is possible that we will find a 802.1q packet encapsulated inside another packet that also had an 802.1q header. For example, ethernet tunneled over IPSEC arriving over ethernet. In that case, we replace the existing 802.1q PCP m_tag value."

So options are:

o removing the sysctl check in the reading spot, or
o adding a different sysctl for the reading spot, or
o making the current sysctl aware of "read-only" + "read-write" PCP mode.

Unfortunately, none of these can be fully worked around in user space. :)

Will try to get more feedback from FreeBSD committers and then commit something appropriate next week.

Cheers,
Franco

marjohn56 · December 29, 2017, 05:30:30 PM

I'm sure Orange France knew of all the problems they would create when they decided on this daft idea!

franco · December 29, 2017, 05:33:31 PM

You can probably hear them laughing right now. :)

Still, fun times chasing this down.

marjohn56 · December 29, 2017, 05:35:52 PM

There will be a lot of Orange France users happy when this is finally sorted. Still need the dhclient on FreeBSD sorted and dhcp6c too.

Perhaps we could create a package for them to replace the existing clients with the modified versions just for them.

nivek1612 · December 29, 2017, 07:00:30 PM

Great work tracking this down

franco · December 30, 2017, 02:56:44 PM

So the sysctl usage is made obsolete here:

https://github.com/opnsense/src/commit/dabc3cf4ef

Then I added...

https://github.com/opnsense/src/commit/5f9b4916

And now I'm working on simplifying the option 77 patch:

https://github.com/opnsense/src/commit/c24697cb

I'm not sure if the latter compiles at the moment, but except for the BPF magic that needs review it should work if it builds. :)

franco · December 30, 2017, 03:02:40 PM

Small build issue, otherwise ready for testing...

https://github.com/opnsense/src/commit/f6b3e14

It's the dhclient_77 branch:

# opnsense-code src
# git checkout dhclient_77
# cd /usr/src/sbin/dhclient
# make
# make install

Cheers,
Franco

nivek1612 · December 30, 2017, 03:34:37 PM

Excellent thanks Franco

Will be tomorrow before I can test (family party tonight)

nivek1612 · December 30, 2017, 03:36:31 PM

Is the plan to compile a dhcp6c as well or will that need to go upstream

marjohn56 · December 30, 2017, 06:47:12 PM

Quote from: franco on December 30, 2017, 03:02:40 PM

# opnsense-code src
# git checkout dhclient_77
# cd /usr/src/sbin/dhclient
# make
# make install

Cheers,
Franco

Should the be:

# cd /usr
# opnsense-code src
#cd /usr/src
# git checkout dhclient_77
# cd /usr/src/sbin/dhclient
# make
# make install

The build issue I assume is with Kyuafile, not important?

nivek1612 · December 30, 2017, 06:53:47 PM

Im getting

fatal: Not a git repository (or any of the parent directories) .git

sure its me but I don't know what Im doing wrong

franco · December 30, 2017, 07:45:11 PM

Oh, sorry, /usr/src exists in stock install. Use this the first time:

# opnsense-code -f src

franco · December 30, 2017, 08:24:59 PM

Our next issue is here...

https://github.com/opnsense/src/commit/c24697cb44ee5ac9963ba1a7e767ae590e1ea97f#diff-4832d06a0637c8fc27150af6b8f05b19R100

The change now requests the packet for *every* packet reaching the filter instead of checking because it's returning in this first step.

WAN DHCP6 VLAN Priority tagging

franco

December 29, 2017, 05:10:00 PM #30 Last Edit: December 29, 2017, 05:12:01 PM by franco

marjohn56

December 29, 2017, 05:19:56 PM #31

franco

December 29, 2017, 05:27:35 PM #32

marjohn56

December 29, 2017, 05:30:30 PM #33

franco

December 29, 2017, 05:33:31 PM #34

marjohn56

December 29, 2017, 05:35:52 PM #35

nivek1612

December 29, 2017, 07:00:30 PM #36

franco

December 30, 2017, 02:56:44 PM #37

franco

December 30, 2017, 03:02:40 PM #38

nivek1612

December 30, 2017, 03:34:37 PM #39

nivek1612

December 30, 2017, 03:36:31 PM #40

marjohn56

December 30, 2017, 06:47:12 PM #41

nivek1612

December 30, 2017, 06:53:47 PM #42

franco

December 30, 2017, 07:45:11 PM #43

franco

December 30, 2017, 08:24:59 PM #44