Page MenuHomeFreeBSD

wpa_supplicant: Enable receiving priority tagged (VID 0) frames
ClosedPublic

Authored by rcm on Jun 6 2023, 7:29 PM.
Referenced Files
Unknown Object (File)
Sun, Nov 10, 12:55 AM
Unknown Object (File)
Sat, Nov 9, 9:13 PM
Unknown Object (File)
Sat, Nov 9, 7:35 PM
Unknown Object (File)
Sat, Nov 9, 7:17 PM
Unknown Object (File)
Sat, Nov 9, 7:01 PM
Unknown Object (File)
Sat, Nov 9, 6:01 PM
Unknown Object (File)
Sat, Nov 9, 5:56 PM
Unknown Object (File)
Sat, Nov 9, 5:54 PM

Details

Summary

Certain internet service providers transmit VLAN 0 priority tagged
EAPOL frames from the ONT towards the residential gateway. VID 0
should be ignored, and the frame processed according to the priority
set in the 802.1P bits and the encapsulated EtherType (i.e. EAPOL).

The pcap filter utilized by l2_packet_* is inadquate for this use case.

Here we modify the pcap filter on FreeBSD to accept both unencapsulated
and encapsulated (with VLAN 0) EAPOL EtherTypes. This preserves the
original filter behavior while also matching on encapsulated EAPOL.

Additional work is required to support this handling on other platforms.

We also modify the rx_receive handler to offset the packet buffer
and length when handling dot1q encapsualted frames so the existing
packet parsing code works as-is.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rcm requested review of this revision.Jun 6 2023, 7:29 PM
rcm retitled this revision from wpa_supplicant: Enable receiving priority tagged (VID 0) frames to wip: wpa_supplicant: Enable receiving priority tagged (VID 0) frames.Jun 7 2023, 1:31 PM

This revision narrows the scope of change to only focus on FreeBSD related L2 packet handling in wpa_supplicant. The previous revision updated all occurrences of the filter program, however failed to account for packet and length offsets when handling encapsulated frames. Someone else can pick up the torch and provide patches for other platforms upstream as-needed.

rcm retitled this revision from wip: wpa_supplicant: Enable receiving priority tagged (VID 0) frames to wpa_supplicant: Enable receiving priority tagged (VID 0) frames.Jun 7 2023, 4:38 PM

Can you also please send this to our upstream, hostap@lists.infradead.org. I prefer not having our source diverge from upstream too much.

Other than that, looks good. I'll do some regression testing here.

slippy$ git apply /tmp/D40442.diff
error: patch failed: contrib/wpa/src/l2_packet/l2_packet_freebsd.c:99
error: contrib/wpa/src/l2_packet/l2_packet_freebsd.c: patch does not apply
slippy$ patch -C -p1 < /tmp/D40442.diff
Hmm... Looks like a unified diff to me...

The text leading up to this was:

diff --git a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c
--- a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c
+++ b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c

Patching file contrib/wpa/src/l2_packet/l2_packet_freebsd.c using Plan A...
Hunk #1 succeeded at 21.
Hunk #2 failed at 100.
Hunk #3 failed at 131.
2 out of 3 hunks failed while patching contrib/wpa/src/l2_packet/l2_packet_freebsd.c
Hmm... Ignoring the trailing garbage.
done
slippy$

cy requested changes to this revision.Jun 8 2023, 12:17 AM

Patch does not apply.

slippy$ git apply /tmp/D40442.diff 
error: patch failed: contrib/wpa/src/l2_packet/l2_packet_freebsd.c:99
error: contrib/wpa/src/l2_packet/l2_packet_freebsd.c: patch does not apply
slippy$ patch -C -p1 < /tmp/D40442.diff 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c
|--- a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c
|+++ b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c
--------------------------
Patching file contrib/wpa/src/l2_packet/l2_packet_freebsd.c using Plan A...
Hunk #1 succeeded at 21.
Hunk #2 failed at 100.
Hunk #3 failed at 131.
2 out of 3 hunks failed while patching contrib/wpa/src/l2_packet/l2_packet_freebsd.c
Hmm...  Ignoring the trailing garbage.
done
slippy$
This revision now requires changes to proceed.Jun 8 2023, 12:17 AM

Not sure why the last diff did not apply. I recreated it. Hopefully this one works.

In D40442#921284, @cy wrote:

Can you also please send this to our upstream, hostap@lists.infradead.org. I prefer not having our source diverge from upstream too much.

Other than that, looks good. I'll do some regression testing here.

Absolutely. I sent a subscribe email to hostap-join a few days ago actually but I guess it hasn't been manually verified yet (rcm <at> rcm dot sh)

There was a regression in the latest diff. That has been fixed now.

http://lists.infradead.org/pipermail/hostap/2023-June/041627.html

I managed to get subscribed to the hostap mailing list. I also brought along another patch from FreeBSD so the l2 receive code should now be consistent between the two trees.

In D40442#921594, @rcm_rcm.sh wrote:

http://lists.infradead.org/pipermail/hostap/2023-June/041627.html

I managed to get subscribed to the hostap mailing list. I also brought along another patch from FreeBSD so the l2 receive code should now be consistent between the two trees.

Excellent! Thanks.

They take their time. If after a couple of weeks there is no reply or no commit, just email j@w1.fi. Whatever you submit to them will be the commit message.

LGTM. I will commit this on Monday for you.

This revision is now accepted and ready to land.Jun 11 2023, 3:45 PM
franco_opnsense.org added inline comments.
contrib/wpa/src/l2_packet/l2_packet_freebsd.c
104

Is there already a place that handles the explicit VLAN "0" check, because this patch does not? Or do we just assume it has to be "0" because we got the package with a VLAN header?

139

Why print the same value twice?

rcm marked an inline comment as done.Jun 12 2023, 1:21 PM
rcm added inline comments.
contrib/wpa/src/l2_packet/l2_packet_freebsd.c
104

The pcap filter program already performs this assertion implicitly by virtue of the filter itself. It isn't really necessary to test the VID again. I mean, we certainly can but that would require casting to an extended Ethernet header struct that includes dot1q bits just for the purpose of asserting that VID=0.

139

Because we use the value of protocol again in the new ethertype filter here ( vlan 0 and ether proto 0x%x ) )

We need to test for the ether proto twice, both for unencap'd frames and encap'd frames. Without the second test we would match on any frame with a VID=0 regardless of encap'd ethertype, which is not correct.

rcm marked 2 inline comments as done.Jun 12 2023, 1:22 PM
rcm edited the summary of this revision. (Show Details)
This revision was automatically updated to reflect the committed changes.

For the print alone it's beneficial to read the VLAN ID and show it. The way it is now it just pushes the maintenance cost to a future point/individual if the PCAP implementation doesn't do what is assumed here (and not even correctly documented as a comment).

For the print alone it's beneficial to read the VLAN ID and show it. The way it is now it just pushes the maintenance cost to a future point/individual if the PCAP implementation doesn't do what is assumed here (and not even correctly documented as a comment).

This isn't printed, it's an snprintf to compose the filter program string.

For emphasis: I said for clarity it's beneficial to read the VLAN ID and at least show it. Doing it here assuming it's zero but giving no way to verify is simply risky.