Hi Alexei, Sorry for messing up your address btw, not sure where I dug that one up... > > 1) Make the bridge code use skb->mac_len instead of ETH_HLEN. This > > works for this particular case, but breaks some other cases; > > evidently some places exist where skb->mac_len isn't even set to > > ETH_HLEN when a packet gets to the bridge. I don't know right now > > what that was, I think probably somebody who's CC'ed reported that. > > > > 2) Let tc_act_vlan() just pull ETH_HLEN instead of skb->mac_len, but > > this is rather asymmetric and strange, and while it works for this > > case it may cause confusion elsewhere. > > > > 2b) Toshiaki said it might be better to make that code *remember* > > mac_len and then use it to push and pull (so not caring about the > > change made by skb_vlan_push()), but that ultimately leads to > > confusion and if you have TC push/pop combinations things just get > > completely out of sync and die > > > > 3) Make skb_vlan_push()/_pop() just not change mac_len at all. So far > > this also addresses the issue, but it's likely that this will break > > OVS, and I don't know how it'd affect BPF. Quite possibly like TC > > does and is broken, but perhaps not. > > > > > > But now we're stuck. Depending on how you look at it, all of these seem > > sort of reasonable, or not. > > > > Ultimately, the issue seems to be that we couldn't really decide whether > > VLAN tags (and probably MPLS tags, for that matter) are covered by > > mac_len or not. At least not consistently on ingress and egress. > > eth_type_trans() doesn't take them into account, so of course on simple > > ingress mac_len will only cover the ETH_HLEN. > > > > If you have an accelerated tag and then push it into the SKB, it will > > *not* be taken into account in mac_len. OTOH, if you have a new tag and > > use skb_vlan_push() then it *will* be taken into account. > > > > > > I'm trending towards solution (3), because if we consider other > > combinations of VLAN push/pop in TC, I think we can end up in a very > > messy situation today. For example, POP/PUSH seems like it should be a > > no-op, but it isn't due to the mac_len, *unless* it can use the HW accel > > only (i.e. only a single tag). > > > > I think then to propose such a patch though we'd have to figure out > > where the BPF case is, and to keep OVS working probably either add an > > argument ("bool adjust_mac_len") to the function signatures, or just do > > the adjustments in OVS code after calling them? > > > > > > Any other thoughts? > > imo skb_vlan_push() should still change mac_len. > tc, ovs, bpf use it and expect vlan to be part of L2. I'm not sure tc really cares, but it *is* a reasonable argument to make. Like I said, whichever way I look at the problem, a different solution looks more reasonable ;-) > There is nothing between L2 and L3 :) > Hence we cannot say that vlan is not part of L2. > Hence push/pop vlan must change mac_len, since skb->mac_len > is kernel's definition of the length of L2 header. I think we're getting to something here now. I actually thought about this some more last night, and basically asked myself how I would design it without all the legacy baggage. I'm certainly not suggesting we should change anything here, but to me it was a bit of a clarification to do this and then see where we differ in our handling today. Thinking along those lines, I sort of ended up with the following scheme (just for the skb head, not the frags/fraglist): +------------------+----------------+---------------+ headroom | eth | vlan | ... | IP | TCP | payload | tailroom +------------------+----------------+---------------+ ^ skb->head_ptr ^ skb->l2_ptr ^ skb->l3_ptr == skb->l2_ptr + skb->l2_len ... ^ skb->payload_ptr ^ skb->tail Now, I deliberately didn't put any "skb->data" here, because what we do today is sort of confusing. By getting rid of the "multi-use" skb->data in this scheme I think it becomes clearer to think about. On *egress*, all we really care about is this: +------------------+----------------+---------------+ headroom | eth | vlan | ... | IP / TCP | payload | tailroom +------------------+----------------+---------------+ ^ skb->data skb->data + skb->len ^ On *ingress*, however, we hide some of the data (temporarily): |--------- headroom ---------| +------------------+----------------+---------------+ | eth | vlan | ... | IP / TCP | payload | tailroom +------------------+----------------+---------------+ ^ skb->data - skb->mac_len ^ skb->data skb->data + skb->len ^ which is somewhat confusing to me, and sort of causes all these problems. (It also makes it harder to reason about what data is actually valid in the skb, although if mac_len is non-zero then it must be, but it means you actually have less headroom and all). If instead we just made it like the hypothetical scheme I outlined above, then on traversing a layer we'd set the next layer pointer appropriately, and then each layer would just use the right pointer: * bridge/ethernet driver/... would use l2_ptr * IP would use the l3_ptr * TCP would use the l4_ptr (didn't put that into the picture) * ... Now we wouldn't have a problem with the VLAN tags, because we'd just appropriate set/keep all the pointers - bridge doesn't even care where l3_ptr is pointing, but for IP it would of course point to beyond the VLAN tags. (Now, if you wanted to implement this, you probably wouldn't have l2_ptr but l2_offset etc. but that's an implementation detail.) Now, why am I writing all this? Because I think it points out that you're absolutely right - we should treat mac_len as part of the frame if we're in anything that cares about L2 like bridge. > Now as far as bridge... I think it's unfortunate that linux > adopted 'vlan' as a netdevice model and that's where I think > the problem is. I'm not sure. I don't exactly know where the problem is if we fix bridge according to the patch (1) above, which, btw, was discussed before: https://lore.kernel.org/netdev/20190113135939.8970-1-zahari.doychev@xxxxxxxxx/ Back then, Nikolay (whom I forgot to CC, fixed now) said: > It breaks connectivity between bridge and > members when vlans are used. The host generated packets going out of the bridge > have mac_len = 0. Which probably indicates that we're not even consistent with the egress scheme I pointed out above, probably because we *also* have hard_header_len? Maybe somewhere early in the egress path we should set skb->mac_len to dev->hard_header_len, and then use skb->mac_len consistently, and consider that part of the skb (and not arbitrarily consider ETH_HLEN to be part of the skb in bridge). (This almost tempts me to actually try to implement the hypothetical SKB scheme I described above, just so it's easier to understand what part does what ... and to find where the issues like this occur) > Typical bridge in the networking industry is a device that > does forwarding based on L2. Which includes vlans. > And imo that's the most appropriate way of configuring and thinking > about bridge functionality. > Whereas in the kernel there is a 'vlan' netdevice that 'eats' > vlan tag and pretends that the rest is the same. > So linux bridge kinda doesn't need to be vlan aware. > CONFIG_BRIDGE_VLAN_FILTERING was the right step, but I haven't > seen it being used and I'm not sure about state of things there. I think that ends up being a question of semantics. You can consider an "industry bridge" that you describe to be a combination of VLAN and bridge netdevs, and so it's just a question of what exactly you consider a "bridge" - does it have to be a single netdev or not. > So your option 1 above is imo the best. The bridge needs to deal > with skb->mac_len and full L2 header. Yeah, I guess. We're back to square 1 ;-) I'm not even sure I understand the bug that Nikolay described, because br_dev_xmit() does: skb_reset_mac_header(skb); eth = eth_hdr(skb); skb_pull(skb, ETH_HLEN); so after this we *do* end up with an SKB that has mac_len == ETH_HLEN, if it was transmitted out the bridge netdev itself, and thus how would the bug happen? Thanks, johannes