lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 14 Dec 2012 11:50:51 -0500
From:	Vlad Yasevich <vyasevic@...hat.com>
To:	Jamal Hadi Salim <jhs@...atatu.com>
CC:	Stephen Hemminger <shemminger@...tta.com>,
	David Miller <davem@...emloft.net>, or.gerlitz@...il.com,
	netdev@...r.kernel.org, mst@...hat.com, john.r.fastabend@...el.com
Subject: Re: [PATCH 00/11] Add basic VLAN support to bridges

On 12/13/2012 05:56 PM, Jamal Hadi Salim wrote:
> On 12-12-13 05:37 PM, Stephen Hemminger wrote:
>
>>
>> You can, run any action before it hits the bridge.
>
> I think you and I have had this discussion before ;->
> It works just fine on ingress.
>
>
> #Add ingress qdisc on br0
> tc qdisc add dev br0 ingress
> #Add a filter to accept all and count
> tc filter add dev br0 parent ffff: protocol ip prio 6 u32 match ip dst
> 0/0 flowid 1:16 action ok
> #show the stats
> root@...12:~# tc -s filter show parent ffff: dev br0
> filter protocol ip pref 6 u32
> filter protocol ip pref 6 u32 fh 800: ht divisor 1
> filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0
> flowid 1:16
>    match 00000000/00000000 at 16
>      action order 1: gact action pass
>       random type none pass val 0
>       index 2 ref 1 bind 1 installed 269 sec used 74 sec
>       Action statistics:
>      Sent 1210 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
>      backlog 0b 0p requeues 0
> ------
>
> Look at those packets ...

Interesting.  But, but how complex would be be to configure a vlan 
filter for say 10 different vlans, each one of them only permitted
to be forwarded to their respective VM.  Oh, and Vlan tags should
be stripped when they are being forwarded.

config:
       +- eth0
       |
   br0-+- vnet0 (vlan10) - VM1
       |
       +- vnet1 (vlan20) - VM2
       |
       +- vnet3 (vlan30) - VM3
... etc...

-vlad
>
> cheers,
> jamal
>
> cheers,
> jamal
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ