From: Tim Nelson <tnelson@rockbochs.com>
To: netfilter@vger.kernel.org
Subject: Re: Bridging / VLANs / ebtables
Date: Wed, 17 Dec 2014 10:51:53 -0600 (CST) [thread overview]
Message-ID: <11784487.350636.1418835113805.JavaMail.root@rockbochs.com> (raw)
In-Reply-To: <20141217025514.GW967@titan.lakedaemon.net>
----- Original Message -----
> Tim,
>
> Ah crap. I should've read the OP first. Definitely some scenario
> lost
> in quote-trimming...
>
> On Fri, Dec 12, 2014 at 02:03:12PM -0600, Tim Nelson wrote:
> > Greetings-
> >
> > I have an interesting situation that requires bridging some VLAN
> > enabled interfaces together on a Debian 7.x x86 system. On the
> > host,
> > there is a single physical interface passing traffic natively
> > (eth0),
> > and two tagged VLANs also passing traffic (eth0.2 and eth0.3).
> >
> > The use case is that I need to bridge eth0 with eth0.2, allowing
> > layer
> > two traffic to pass seamlessly between interfaces, and still leave
> > eth0.3 in a usable state. The switch this system is connected to is
> > outside of my control, which is the reason for the odd network
> > setup.
> >
> > What I'm finding by simply creating a new bridge br0 with members
> > eth0
> > and eth0.2 is no connectivity on eth0.2, and slow/quirky
> > connectivity
> > on eth0 (native connectivity to Debian 7.x host).
>
> This sounds a bit like an IP address / routing rule conflict. Did
> you
> set eth0 and eth0.2 0.0.0.0 and promiscuous? Did you assign one IP
> address to the bridge? Would you mind sending the output of:
>
I had not thought of putting the interfaces in promiscuous mode, but have since tested (as per your last email). Still no change.
> # ip addr show
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether b8:27:eb:bd:9e:51 brd ff:ff:ff:ff:ff:ff
3: eth0.3@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP
link/ether b8:27:eb:bd:9e:51 brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether b8:27:eb:bd:9e:51 brd ff:ff:ff:ff:ff:ff
inet 172.31.255.249/29 brd 172.31.255.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:febd:9e51/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether b8:27:eb:bd:9e:51 brd ff:ff:ff:ff:ff:ff
inet 172.16.23.152/24 brd 172.16.23.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:febd:9e51/64 scope link
valid_lft forever preferred_lft forever
> and
>
> # route -n
>
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.23.1 0.0.0.0 UG 0 0 0 br0
172.16.23.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.31.255.248 0.0.0.0 255.255.255.248 U 0 0 0 eth0.2
> ?
>
> > It has been suggested to use ebtables to filter the VLANs from the
> > eth0 interface on the bridge, yet allow operation to the system
> > interface eth0.2/eth0.3. I found a very specific reference on the
> > ebtables site for this scenario [1], usage suggested (modified to
> > fit
> > my environment):
> >
> > ebtables -t broute -A BROUTING -i eth0 -p 802_1Q --vlan-id 3 -j
> > DROP
> > ebtables -t broute -A BROUTING -i eth0 -p 802_1Q --vlan-id 2 -j
> > DROP
> >
> > If my understanding of the ebtables usage as a brouter, and the
> > kernel's interaction between all components involved, this should
> > work. However, as noted, no change in operation is observed.
>
> Yes, based on your description of the network you are going to need
> the
> above rules.
>
I've added the above rules, no change:
root@h4222:~# ebtables -t broute -L
Bridge table: broute
Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p 802_1Q -i eth0 --vlan-id 3 -j DROP
-p 802_1Q -i eth0 --vlan-id 2 -j DROP
Thank you,
--Tim
next prev parent reply other threads:[~2014-12-17 16:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4829673.301498.1418414563731.JavaMail.root@rockbochs.com>
2014-12-12 20:03 ` Bridging / VLANs / ebtables Tim Nelson
2014-12-16 1:20 ` Tim Nelson
2014-12-16 9:01 ` Akshat Kakkar
2014-12-16 14:56 ` Paul Robert Marino
2014-12-16 21:16 ` Tim Nelson
2014-12-16 21:15 ` Tim Nelson
2014-12-16 21:34 ` Jason Cooper
2014-12-16 21:46 ` Tim Nelson
2014-12-17 2:41 ` Jason Cooper
2014-12-17 16:40 ` Tim Nelson
2014-12-22 3:37 ` Tim Nelson
2014-12-17 2:55 ` Jason Cooper
2014-12-17 4:41 ` Akshat Kakkar
2014-12-17 16:56 ` Tim Nelson
2014-12-17 16:51 ` Tim Nelson [this message]
[not found] <549119ce.ca25e00a.053d.1a62@mx.google.com>
2014-12-17 17:30 ` Tim Nelson
[not found] <CAPJdpdD+Ziiy_keV=Re92-v53PtMA8N7XK6rKXYHvzj3QJcOQg@mail.gmail.com>
2014-12-22 15:24 ` Tim Nelson
2014-12-22 21:15 ` Paul Robert Marino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11784487.350636.1418835113805.JavaMail.root@rockbochs.com \
--to=tnelson@rockbochs.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox