| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Dec 2013 17:17:13 +0100 (CET) From: Alexandre DERUMIER <aderumier@...so.com> To: Toshiaki Makita <makita.toshiaki@....ntt.co.jp> Cc: netdev@...r.kernel.org, Vlad Yasevich <vyasevic@...hat.com> Subject: Re: bridge vlan_filtering don't work with tap devices (qemu guests) Little update: I can see now tagged packet on br0 with tcpdump, if I have #bridge vlan add dev br0 vid 10 self. All is working fine now. I have a last question : Is it possible to allow all vlans to go through a port. (or disable filtering for 1 specific port) ? If not, maybe could be it great to be able to add multiple vlans with bridge command,like "bridge vlan add dev xxx vid 1-4096" or "bridge vlan add dev xxx vid 1,2,3-10,12,13-4096" ----- Mail original ----- De: "Alexandre DERUMIER" <aderumier@...so.com> À: "Toshiaki Makita" <makita.toshiaki@....ntt.co.jp> Cc: netdev@...r.kernel.org, "Vlad Yasevich" <vyasevic@...hat.com> Envoyé: Vendredi 27 Décembre 2013 10:46:38 Objet: Re: bridge vlan_filtering don't work with tap devices (qemu guests) >>With these settings, you should be able to see tagged frames on bridge >>device with promisc mode. >>Are you sure you enabled vlan_filtering by sysfs? Yes,It's enabled. >>Or didn't you set br0 in the same way as other ports like below? >># bridge vlan add dev br0 vid 10 pvid untagged self Indeed I didn't set vlan on br0. Isn't it only to tag packets coming from the bridge itself? (like a bridge management ip for example). Or do we need to define all vlans allowed to pass through the bridge ? about tcdpump: I'm just using tcpdump -i br0 -e -n , and don't see any vlan tag. But maybe it's related to tcpdump bug, I have also had some random kernel panic. >>If you set pvid, incoming frames from the port will be tagged with the >>vlan. >>If you set untagged, outgoing frames with the vlan from the port will be >>untagged. >>So, if you want to send frames tagged with vlan 10, please don't set vid >>10 untagged on outgoing ports you want. Oh, ok, it's clear now. ----- Mail original ----- De: "Toshiaki Makita" <makita.toshiaki@....ntt.co.jp> À: "Alexandre DERUMIER" <aderumier@...so.com> Cc: netdev@...r.kernel.org, "Vlad Yasevich" <vyasevic@...hat.com> Envoyé: Vendredi 27 Décembre 2013 09:28:37 Objet: Re: bridge vlan_filtering don't work with tap devices (qemu guests) 2013-12-26 (木) の 14:57 +0100 に Alexandre DERUMIER さんは書きました: > Hello Again, > > One more question : > > If I use tcpdump on br0, I don't see any tagged vlan10 packets on the bridge. > with > # bridge vlan add dev tap0 vid 10 pvid untagged > # bridge vlan add dev tap1 vid 10 pvid untagged With these settings, you should be able to see tagged frames on bridge device with promisc mode. Are you sure you enabled vlan_filtering by sysfs? Or didn't you set br0 in the same way as other ports like below? # bridge vlan add dev br0 vid 10 pvid untagged self > > > What I would like to do, is tagging vlan10, incoming (untagged) packets from tap0 and tap1. > > Is it possible ? If you set pvid, incoming frames from the port will be tagged with the vlan. If you set untagged, outgoing frames with the vlan from the port will be untagged. So, if you want to send frames tagged with vlan 10, please don't set vid 10 untagged on outgoing ports you want. BTW: (CC: Vlad) I tested to execute tcpdump on br0 with vlan_filtering enabled, but kernel panic occurred with upstream net-tree kernel. br_handle_vlan() seems to have a bug that it doesn't check pv is NULL or not. br_pass_frame_up() calls br_handle_vlan() even if br->vlan_info is NULL when bridge device is promisc mode. This will occur if we don't add any vlan on the bridge device. I'm going to make a patch to fix it. Thanks, Toshiaki Makita > > With openvswitch, I can do it simply with "ovs-vsctl set port tap0 tag=10" > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists