NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bridge with tap - trying to set up openvpn server

On Wed, Apr 06, 2011 at 01:22:41PM +0200, Manuel Bouyer wrote:
> On Wed, Apr 06, 2011 at 07:15:57AM -0400, 
> wrote:
> > > On Wed, Apr 06, 2011 at 06:34:15AM -0400, 
> > > wrote:
> > >> Anything else to try?
> > >
> > > Hum, just a though. Do you have some vlans configured on wm1 ?
> > > Did you setup checksum offlload ?
> > 
> > vlans - no (though was wondering if it would save me some steps to
> > the server room if I set up a vlan on a different subnet so I can
> > reset the server when I'm playing with bridge0 debugging...)
> > 
> > checksum offload IS configured:
> > mtu 1500
> >      capabilities=2bf80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,
> > 
> >      enabled=3f80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,
> > 
> > Bridging seems to work when I disable it! Why would that be?
> I guess the brige drop some flags from the outgoing packet indicating that
> checksum should be performed by the adapter.
> > 
> > Should I submit a PR on this? I think my system work better
> > when offload is enabled.
> I'm not sure offload can be made to work with bridges. When a packet is
> being built at the IP level, the IP layer knows the interface with the 
> outgoing
> route as the outgoing interface, but the bridge may then reroute this
> packet to some other interface, with different capabilities.
> So the IP layer has to way to know what capabilities the outgoing interface
> will really have ...

A lot of architectural problems converge on bridge(4). :-(

In this vpnc case, instead of routes to a bridge's member interfaces
(wm0, tap0), the IP forwarding domain should have a route to an ifnet
that connects the IP domain to an ethernet forwarding domain.  Call that
ifnet br0.  Belonging to br0 is some MAC address (borrowed from the
Intel NIC?) and an IP address. br0 decaps and raises packets matching
its MAC from ethernet to IP; it encaps (using its MAC) transmitted
IP packets and lowers them to the ethernet domain.  Belonging to
the ethernet forwarding domain are the Intel NIC and the virtual
ethernet instance. br0 advertises the "right" set of checksum-offload
capabilities for the members of the ethernet forwarding domain below it.
Depending whether or not it is feasible and efficient to defer software
checksums until the last moment before transmission or not, br0 may or
may not advertise all of the member interfaces' offload capabilities.


David Young             OJC Technologies      Urbana, IL * (217) 344-0444 x24

Home | Main Index | Thread Index | Old Index