Hi, I notice that with the Kernel 2.6.25.9 the 802.1q VLAN tagged packets larger than 1470 bytes are not forwarded at all by a bridge. I think there is a bad interaction between bridge and netfilter codes. Any chance to a have a patch to solve this problem that limit the possibility to use the Linux bridges in a environment with VLANs? Best Regards Fulvio Ricciardi -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
> Hi, > > I notice that with the Kernel 2.6.25.9 the 802.1q VLAN > tagged packets larger than 1470 bytes are not forwarded at > all by a bridge. > I think there is a bad interaction between bridge and > netfilter codes. Any chance to a have a patch to solve > this problem that limit the possibility to use the Linux > bridges in a environment with VLANs?With the following command it works: echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables but this disable the iptables support that it's important for obtaining complex bridge-firewall scenarios. Regards Fulvio Ricciardi -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
> > > Hi, > > > > > > I notice that with the Kernel 2.6.25.9 the 802.1q VLAN > > > tagged packets larger than 1470 bytes are not > > > forwarded at all by a bridge. > > > I think there is a bad interaction between bridge and > > > netfilter codes. Any chance to a have a patch to solve > > > this problem that limit the possibility to use the > > > Linux bridges in a environment with VLANs? > > > > With the following command it works: > > > > echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables > > > > but this disable the iptables support that it's > > important for obtaining complex bridge-firewall > > scenarios. > > Regards > > Fulvio Ricciardi > > Your iptables need to know about VLAN's as well. > I bet your default action is to DROP. >No, the default policy is ACCEPT for the FORWARD chain. In any case the problem takes place only with large packets. For example if I try ping -s 1472 192.168.99.74 it works, but ping -s 1473 192.168.99.74 it does not. I am sure that the network cards are VLAN 802.1q aware because only the forwarding process is broken. If instead I just ping the IP of the bridge interface it works fine. Regards Fulvio -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
> > > > > Hi, > > > > > > > > > > I notice that with the Kernel 2.6.25.9 the 802.1q > > > > > VLAN tagged packets larger than 1470 bytes are not > > > > > forwarded at all by a bridge. > > > > > I think there is a bad interaction between bridge > > > > > and netfilter codes. Any chance to a have a patch > > > > > to solve this problem that limit the possibility > > > > > to use the Linux bridges in a environment with > > > VLANs? > > > > > With the following command it works: > > > > > > > > echo 0 > > > > /proc/sys/net/bridge/bridge-nf-call-iptables > > > > > but this disable the iptables support that it's > > > > important for obtaining complex bridge-firewall > > > > scenarios. > > > > Regards > > > > Fulvio Ricciardi > > > > > > Your iptables need to know about VLAN's as well. > > > I bet your default action is to DROP. > > > > > No, the default policy is ACCEPT for the FORWARD chain. > > In any case the problem takes place only with large > > packets. For example if I try > > > > ping -s 1472 192.168.99.74 > > > > it works, but > > > > ping -s 1473 192.168.99.74 > > > > it does not. > > I am sure that the network cards are VLAN 802.1q aware > > because only the forwarding process is broken. If > > instead I just ping the IP of the bridge interface it > works fine. > > > Are the other nodes directly connected to the netfilter > bridge, or are there ethernet switches involved? Are > these switches managed, smart, or dumb? Are jumbo frames > enabled on all devices in the path? >One host is directly connected with a cross cable to the bridge and the other one with an unmanaged switch that works fine because if I issue the command echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables to disable the Netfilter action for the bridge there is no problem for the large packets on VLAN. -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
I had a similar problem not long ago. Make sure that ip_conntrack is not
loaded. In my case, it was re-assembling all fragmented packets passing
through the bridge, and not fragmenting them again. The resulting large
packet was too big for the interface, and it got dropped.
Regards,
Leigh
Leigh Sharpe
Network Systems Engineer
Pacific Wireless
Ph +61 3 9584 8966
Mob 0408 009 502
Helpdesk 1300 300 616
email lsharpe at pacificwireless.com.au
web www.pacificwireless.com.au
-----Original Message-----
From: bridge-bounces at lists.linux-foundation.org
[mailto:bridge-bounces at lists.linux-foundation.org] On Behalf Of Fulvio
Ricciardi
Sent: Saturday, 28 June 2008 2:56 PM
To: bridge at osdl.org
Subject: [Bridge] 802.1q packets
Hi,
I notice that with the Kernel 2.6.25.9 the 802.1q VLAN
tagged packets larger than 1470 bytes are not forwarded at
all by a bridge.
I think there is a bad interaction between bridge and
netfilter codes. Any chance to a have a patch to solve this
problem that limit the possibility to use the Linux bridges
in a environment with VLANs?
Best Regards
Fulvio Ricciardi
--------------------------------------------------------------------
Fulvio Ricciardi
web: http://www.zeroshell.net/eng/
skype: zeroshellnet
Phone: +3908321835630
_______________________________________________
Bridge mailing list
Bridge at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/bridge
> I had a similar problem not long ago. Make sure that > ip_conntrack is not loaded. In my case, it was > re-assembling all fragmented packets passing through the > bridge, and not fragmenting them again. The resulting > large packet was too big for the interface, and it got > dropped. >I use the modules nf_conntrack_ipv4 and nf_conntrack. I can't remove them. Does exist a workaround if this is the problem? Thanks Fulvio -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
> > That mostly rules out other devices in the path as the > cause of the problem. There's just one chance of a > netfilter interaction that I can think of: netfilter may > cause fragments to be recombined, without netfilter the > fragments could be bridged. Are you running the ping > command from the bridge itself, or across the bridge? (I > presume across the bridge because you are discussing the > FORWARD chain only)I ping across the bridge. If instead a ping from the bridge itself, all works right.> > Do the large ping requests show up in the iptables > counters?Yes, in any case (either ping -s 1472 and ping -s 1473) the packets are counted in the FORWARD chain.> > What happens if you set no fragmentation when you run > ping?it's the same Thanks Fulvio -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630
Fulvio Ricciardi wrote:> I notice that with the Kernel 2.6.25.9 the 802.1q VLAN > tagged packets larger than 1470 bytes are not forwarded at > all by a bridge. > I think there is a bad interaction between bridge and > netfilter codes. Any chance to a have a patch to solve this > problem that limit the possibility to use the Linux bridges > in a environment with VLANs?Is it maybe problem described here? https://lists.linux-foundation.org/pipermail/bridge/2007-May/005436.html If so, it was reported more than one year ago and still none of developers care about it. -- ## Adam Osuchowski Adam.Osuchowski at polsl.pl ## Silesian University of Technology, Computer Centre, Gliwice, Poland
> Fulvio Ricciardi wrote: > > I notice that with the Kernel 2.6.25.9 the 802.1q VLAN > > tagged packets larger than 1470 bytes are not forwarded > > at all by a bridge. > > I think there is a bad interaction between bridge and > > netfilter codes. Any chance to a have a patch to solve > > this problem that limit the possibility to use the Linux > > bridges in a environment with VLANs? > > Is it maybe problem described here? > > >https://lists.linux-foundation.org/pipermail/bridge/2007-May/005436.html> > If so, it was reported more than one year ago and still > none of developers care about it. >Yes, it is exactly the same problem. Thanks for the patch that I hope developers will include it in the vanilla Kernel as soon as possible. Regards Fulvio Ricciardi -------------------------------------------------------------------- Fulvio Ricciardi web: http://www.zeroshell.net/eng/ skype: zeroshellnet Phone: +3908321835630