[Bridge] 802.1q packets
richardvoigt at gmail.com
richardvoigt at gmail.com
Sat Jun 28 17:08:28 PDT 2008
On Sat, Jun 28, 2008 at 4:17 PM, Fulvio Ricciardi <
fulvio.ricciardi at zeroshell.net> wrote:
>
> > > > > > Hi,
> > > > > >
> > > > > > I notice that with the Kernel 2.6.25.9 the 802.1q
> > > > > > VLAN tagged packets larger than 1470 bytes are not
> > > > > > forwarded at all by a bridge.
> > > > > > I think there is a bad interaction between bridge
> > > > > > and netfilter codes. Any chance to a have a patch
> > > > > > to solve this problem that limit the possibility
> > > > > > to use the Linux bridges in a environment with
> > > > VLANs? >
> > > > > With the following command it works:
> > > > >
> > > > > echo 0 >
> > > > /proc/sys/net/bridge/bridge-nf-call-iptables >
> > > > > but this disable the iptables support that it's
> > > > > important for obtaining complex bridge-firewall
> > > > > scenarios.
> > > > > Regards
> > > > > Fulvio Ricciardi
> > > >
> > > > Your iptables need to know about VLAN's as well.
> > > > I bet your default action is to DROP.
> > > >
> > > No, the default policy is ACCEPT for the FORWARD chain.
> > > In any case the problem takes place only with large
> > > packets. For example if I try
> > >
> > > ping -s 1472 192.168.99.74
> > >
> > > it works, but
> > >
> > > ping -s 1473 192.168.99.74
> > >
> > > it does not.
> > > I am sure that the network cards are VLAN 802.1q aware
> > > because only the forwarding process is broken. If
> > > instead I just ping the IP of the bridge interface it
> > works fine.
> >
> >
> > Are the other nodes directly connected to the netfilter
> > bridge, or are there ethernet switches involved? Are
> > these switches managed, smart, or dumb? Are jumbo frames
> > enabled on all devices in the path?
> >
>
>
> One host is directly connected with a cross cable to the
> bridge and the other one with an unmanaged switch that works
> fine because if I issue the command
>
> echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
>
> to disable the Netfilter action for the bridge there is no
> problem for the large packets on VLAN.
That mostly rules out other devices in the path as the cause of the
problem. There's just one chance of a netfilter interaction that I can
think of: netfilter may cause fragments to be recombined, without netfilter
the fragments could be bridged. Are you running the ping command from the
bridge itself, or across the bridge? (I presume across the bridge because
you are discussing the FORWARD chain only)
Do the large ping requests show up in the iptables counters?
What happens if you set no fragmentation when you run ping?
>
>
>
> --------------------------------------------------------------------
> Fulvio Ricciardi
> web: http://www.zeroshell.net/eng/
> skype: zeroshellnet
> Phone: +3908321835630
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/20080628/53ad687b/attachment.htm
More information about the Bridge
mailing list