lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ecd32790-8561-4b95-9e2f-2e5aad97d8fe@mailpro>
Date:	Fri, 27 Dec 2013 17:17:13 +0100 (CET)
From:	Alexandre DERUMIER <aderumier@...so.com>
To:	Toshiaki Makita <makita.toshiaki@....ntt.co.jp>
Cc:	netdev@...r.kernel.org, Vlad Yasevich <vyasevic@...hat.com>
Subject: Re: bridge vlan_filtering don't work with tap devices (qemu guests)

Little update: 

I can see now tagged packet on br0 with tcpdump, if I have

#bridge vlan add dev br0 vid 10 self.

All is working fine now.

I have a last question : 

Is it possible to allow all vlans to go through a port. (or disable filtering for 1 specific port) ?

If not, maybe could be it great to be able to add multiple vlans with bridge command,like 
"bridge vlan add dev xxx vid 1-4096"
or
"bridge vlan add dev xxx vid 1,2,3-10,12,13-4096"

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier@...so.com> 
À: "Toshiaki Makita" <makita.toshiaki@....ntt.co.jp> 
Cc: netdev@...r.kernel.org, "Vlad Yasevich" <vyasevic@...hat.com> 
Envoyé: Vendredi 27 Décembre 2013 10:46:38 
Objet: Re: bridge vlan_filtering don't work with tap devices (qemu guests) 

>>With these settings, you should be able to see tagged frames on bridge 
>>device with promisc mode. 
>>Are you sure you enabled vlan_filtering by sysfs? 
Yes,It's enabled. 

>>Or didn't you set br0 in the same way as other ports like below? 
>># bridge vlan add dev br0 vid 10 pvid untagged self 

Indeed I didn't set vlan on br0. Isn't it only to tag packets coming from the bridge itself? (like a bridge management ip for example). 
Or do we need to define all vlans allowed to pass through the bridge ? 

about tcdpump: 

I'm just using tcpdump -i br0 -e -n , and don't see any vlan tag. 
But maybe it's related to tcpdump bug, I have also had some random kernel panic. 


>>If you set pvid, incoming frames from the port will be tagged with the 
>>vlan. 
>>If you set untagged, outgoing frames with the vlan from the port will be 
>>untagged. 

>>So, if you want to send frames tagged with vlan 10, please don't set vid 
>>10 untagged on outgoing ports you want. 

Oh, ok, it's clear now. 



----- Mail original ----- 

De: "Toshiaki Makita" <makita.toshiaki@....ntt.co.jp> 
À: "Alexandre DERUMIER" <aderumier@...so.com> 
Cc: netdev@...r.kernel.org, "Vlad Yasevich" <vyasevic@...hat.com> 
Envoyé: Vendredi 27 Décembre 2013 09:28:37 
Objet: Re: bridge vlan_filtering don't work with tap devices (qemu guests) 

2013-12-26 (木) の 14:57 +0100 に Alexandre DERUMIER さんは書きました: 
> Hello Again, 
> 
> One more question : 
> 
> If I use tcpdump on br0, I don't see any tagged vlan10 packets on the bridge. 
> with 
> # bridge vlan add dev tap0 vid 10 pvid untagged 
> # bridge vlan add dev tap1 vid 10 pvid untagged 

With these settings, you should be able to see tagged frames on bridge 
device with promisc mode. 
Are you sure you enabled vlan_filtering by sysfs? 
Or didn't you set br0 in the same way as other ports like below? 
# bridge vlan add dev br0 vid 10 pvid untagged self 

> 
> 
> What I would like to do, is tagging vlan10, incoming (untagged) packets from tap0 and tap1. 
> 
> Is it possible ? 

If you set pvid, incoming frames from the port will be tagged with the 
vlan. 
If you set untagged, outgoing frames with the vlan from the port will be 
untagged. 

So, if you want to send frames tagged with vlan 10, please don't set vid 
10 untagged on outgoing ports you want. 


BTW: 
(CC: Vlad) 
I tested to execute tcpdump on br0 with vlan_filtering enabled, but 
kernel panic occurred with upstream net-tree kernel. br_handle_vlan() 
seems to have a bug that it doesn't check pv is NULL or not. 
br_pass_frame_up() calls br_handle_vlan() even if br->vlan_info is NULL 
when bridge device is promisc mode. 
This will occur if we don't add any vlan on the bridge device. 
I'm going to make a patch to fix it. 

Thanks, 
Toshiaki Makita 

> 
> With openvswitch, I can do it simply with "ovs-vsctl set port tap0 tag=10" 
> 
-- 
To unsubscribe from this list: send the line "unsubscribe netdev" in 
the body of a message to majordomo@...r.kernel.org 
More majordomo info at http://vger.kernel.org/majordomo-info.html 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ