[Bridge] 802.1q packets

Fulvio Ricciardi fulvio.ricciardi at zeroshell.net
Sat Jun 28 12:50:33 PDT 2008


> > > Hi,
> > > 
> > > I notice that with the Kernel 2.6.25.9 the 802.1q VLAN
> > > tagged packets larger than 1470 bytes are not
> > > forwarded at all by a bridge.
> > > I think there is a bad interaction between bridge and
> > > netfilter codes. Any chance to a have a patch to solve
> > > this problem that limit the possibility to use the
> > > Linux bridges in a environment with VLANs?
> > 
> > With the following command it works:
> > 
> > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
> > 
> > but this disable the iptables support that it's
> > important for obtaining complex bridge-firewall
> > scenarios. 
> > Regards
> > Fulvio Ricciardi
> 
> Your iptables need to know about VLAN's as well.
> I bet your default action is to DROP.
> 
No, the default policy is ACCEPT for the FORWARD chain. In
any case the problem takes place only with large packets.
For example if I try

ping -s 1472 192.168.99.74

it works, but

ping -s 1473 192.168.99.74

it does not.
I am sure that the network cards are VLAN 802.1q aware
because only the forwarding process is broken. If instead I
just ping the IP of the bridge interface it works fine.

Regards
Fulvio

--------------------------------------------------------------------
Fulvio Ricciardi
web: http://www.zeroshell.net/eng/
skype: zeroshellnet
Phone: +3908321835630


More information about the Bridge mailing list