[Bridge] 802.1q packets

Fulvio Ricciardi fulvio.ricciardi at zeroshell.net
Sat Jun 28 14:17:35 PDT 2008


> > > > > Hi,
> > > > >
> > > > > I notice that with the Kernel 2.6.25.9 the 802.1q
> > > > > VLAN tagged packets larger than 1470 bytes are not
> > > > > forwarded at all by a bridge.
> > > > > I think there is a bad interaction between bridge
> > > > > and netfilter codes. Any chance to a have a patch
> > > > > to solve this problem that limit the possibility
> > > > > to use the Linux bridges in a environment with
> > > VLANs? >
> > > > With the following command it works:
> > > >
> > > > echo 0 >
> > > /proc/sys/net/bridge/bridge-nf-call-iptables >
> > > > but this disable the iptables support that it's
> > > > important for obtaining complex bridge-firewall
> > > > scenarios.
> > > > Regards
> > > > Fulvio Ricciardi
> > >
> > > Your iptables need to know about VLAN's as well.
> > > I bet your default action is to DROP.
> > >
> > No, the default policy is ACCEPT for the FORWARD chain.
> > In any case the problem takes place only with large
> > packets. For example if I try
> >
> > ping -s 1472 192.168.99.74
> >
> > it works, but
> >
> > ping -s 1473 192.168.99.74
> >
> > it does not.
> > I am sure that the network cards are VLAN 802.1q aware
> > because only the forwarding process is broken. If
> > instead I just ping the IP of the bridge interface it
> works fine.
> 
> 
> Are the other nodes directly connected to the netfilter
> bridge, or are there ethernet switches involved?   Are
> these switches managed, smart, or dumb? Are jumbo frames
> enabled on all devices in the path?
> 


One host is directly connected with a cross cable to the
bridge and the other one with an unmanaged switch that works
fine because if I issue the command

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables

to disable the Netfilter action for the bridge there is no
problem for the large packets on VLAN.



--------------------------------------------------------------------
Fulvio Ricciardi
web: http://www.zeroshell.net/eng/
skype: zeroshellnet
Phone: +3908321835630


More information about the Bridge mailing list