Re: bridge with tap - trying to set up openvpn server

To: netbsd-users%netbsd.org@localhost
Subject: Re: bridge with tap - trying to set up openvpn server
From: David Young <dyoung%pobox.com@localhost>
Date: Wed, 6 Apr 2011 14:51:58 -0500

On Wed, Apr 06, 2011 at 01:22:41PM +0200, Manuel Bouyer wrote:
> On Wed, Apr 06, 2011 at 07:15:57AM -0400, yancm%sdf.lonestar.org@localhost 
> wrote:
> > > On Wed, Apr 06, 2011 at 06:34:15AM -0400, 
> > > yancm%sdf.lonestar.org@localhost wrote:
> > >> Anything else to try?
> > >
> > > Hum, just a though. Do you have some vlans configured on wm1 ?
> > > Did you setup checksum offlload ?
> > 
> > vlans - no (though was wondering if it would save me some steps to
> > the server room if I set up a vlan on a different subnet so I can
> > reset the server when I'm playing with bridge0 debugging...)
> > 
> > checksum offload IS configured:
> > wm1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> > mtu 1500
> >      capabilities=2bf80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,
> >        TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Tx,UDP6CSUM_Tx>
> > 
> >      enabled=3f80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,
> >        TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>
> > 
> > Bridging seems to work when I disable it! Why would that be?
> 
> I guess the brige drop some flags from the outgoing packet indicating that
> checksum should be performed by the adapter.
> 
> > 
> > Should I submit a PR on this? I think my system work better
> > when offload is enabled.
> 
> I'm not sure offload can be made to work with bridges. When a packet is
> being built at the IP level, the IP layer knows the interface with the 
> outgoing
> route as the outgoing interface, but the bridge may then reroute this
> packet to some other interface, with different capabilities.
> So the IP layer has to way to know what capabilities the outgoing interface
> will really have ...

A lot of architectural problems converge on bridge(4). :-(

In this vpnc case, instead of routes to a bridge's member interfaces
(wm0, tap0), the IP forwarding domain should have a route to an ifnet
that connects the IP domain to an ethernet forwarding domain.  Call that
ifnet br0.  Belonging to br0 is some MAC address (borrowed from the
Intel NIC?) and an IP address. br0 decaps and raises packets matching
its MAC from ethernet to IP; it encaps (using its MAC) transmitted
IP packets and lowers them to the ethernet domain.  Belonging to
the ethernet forwarding domain are the Intel NIC and the virtual
ethernet instance. br0 advertises the "right" set of checksum-offload
capabilities for the members of the ethernet forwarding domain below it.
Depending whether or not it is feasible and efficient to defer software
checksums until the last moment before transmission or not, br0 may or
may not advertise all of the member interfaces' offload capabilities.

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 344-0444 x24

References:
- bridge with tap - trying to set up openvpn server
  - From: yancm
- Re: bridge with tap - trying to set up openvpn server
  - From: Manuel Bouyer
- Re: bridge with tap - trying to set up openvpn server
  - From: yancm
- Re: bridge with tap - trying to set up openvpn server
  - From: Manuel Bouyer
- Re: bridge with tap - trying to set up openvpn server
  - From: yancm
- Re: bridge with tap - trying to set up openvpn server
  - From: Manuel Bouyer
- Re: bridge with tap - trying to set up openvpn server
  - From: yancm
- Re: bridge with tap - trying to set up openvpn server
  - From: Manuel Bouyer
- Re: bridge with tap - trying to set up openvpn server
  - From: yancm
- Re: bridge with tap - trying to set up openvpn server
  - From: Manuel Bouyer

Prev by Date: Re: bridge with tap - trying to set up openvpn server
Next by Date: X11 Forwarding Question
Previous by Thread: Re: bridge with tap - trying to set up openvpn server
Next by Thread: Re: bridge with tap - trying to set up openvpn server
Indexes:

Home | Main Index | Thread Index | Old Index