[pve-devel] kernel 3.10 : bridge vlan test

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Dec 17 09:34:20 CET 2013 

Am 17.12.2013 07:56, schrieb Alexandre DERUMIER:
>>> it just works for me with vanilla 3.10 and the additional patch. BUT 
>>> without VLAN filtering i don't use it. 
> 
> Don't you use special setup with bridge on top of another bridge ? (It was about gvrp support If I remember)

This was needed until 3.8. I dropped that code / patch and i'm using the
default Proxmox implementation again.

> About vlan filtering
> --------------------
>>> could you send me: 
>>> zgrep 'VLAN' /proc/config.gz 
>  ???? what is this ?

This is the current kernel config - but maybe redhat does not compile
that one.

> sysctl -a | grep bridge
> 
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-filter-pppoe-tagged = 0
> net.bridge.bridge-nf-filter-vlan-tagged = 0
> net.bridge.bridge-nf-pass-vlan-input-dev = 0

you need to set
>
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1

to 0. Otherwise vlands and co get's filtered at the bridge.


> I really don't understand why vlan filtering doesn't work( but it's not the first time that bridge module is buggy).
> I'll try to ask to the netdev mailing list.

Please try to set
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1

to 0 first.

> about openvswitch
> -----------------
> I have done some tests with openvswitch, and it's work really fine. 
> iperf show me 20Gb/s, I never reach more than 8gb/s with linux bridge.
> vlan work out of the box. 
> 
> @Dietmar
> 
> about openvswitch, I would like to add support to be able to plug kvm tap interface into it.
> (simple detection if vmbrX is a linux bridge or openvswitch through sysfs, and then use brctl or ovz-ctl command to plug tap interface).
> 
> So advanced users could use them if they want. (create openvswitch command line, no support from gui)

oh i really would like to see this too.

Stefan


> 
> 
> A the end, I would like to have a proper implementation of linux bridge vlan_filtering and openvswitch. 
> (with same network architecture,1 bridge with vlan management, so both can be interchanged)
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 16 Décembre 2013 20:08:18 
> Objet: Re: [pve-devel] kernel 3.10 : bridge vlan test 
> 
> Hi, 
> 
> it just works for me with vanilla 3.10 and the additional patch. BUT 
> without VLAN filtering i don't use it. 
> 
> could you send me: 
> zgrep 'VLAN' /prof/config.gz 
> 
> and 
> 
> sysctl -a | grep bridge 
> 
> Stefan 
> Am 16.12.2013 16:37, schrieb Alexandre DERUMIER: 
>> Stefan, 
>>
>> you could send how you manage bridge vlan on top of other bridge ? 
>>
>> (I would like to test with 3.10 kernel, as I had problem last year with 2.6.32 kernel) 
>>
>>
>>
>> I'm also looking at openvswitch, as it seem it's possible to mix bridge and openvswitch. 
>> Seem that openstack can manage this kind of setup: 
>>
>> host eth0---->openvzswitch---veth0-----veth1---linuxbridge<----tap interface 
>>
>> using 1 bridge by tap interface. 
>> So it's possible to use iptables with the linux bridge. 
>> And manage vlans on openvswitch (and also other features, like netflow) 
>>
>>
>>
>> ----- Mail original ----- 
>>
>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> À: "Dietmar Maurer" <dietmar at proxmox.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Dimanche 15 Décembre 2013 20:15:04 
>> Objet: Re: [pve-devel] kernel 3.10 : bridge vlan test 
>>
>>>> I just added the patch from Stefan and compiled and uploaded a new kernel package. 
>>>> Please can you test if that helps? 
>>
>> Don't help :( 
>>
>> once vlan_filterning is enabled, I can't ping between vms 
>>
>> ----- Mail original ----- 
>>
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Stefan Priebe (s.priebe at profihost.ag)" <s.priebe at profihost.ag> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Samedi 14 Décembre 2013 10:09:33 
>> Objet: RE: [pve-devel] kernel 3.10 : bridge vlan test 
>>
>>> Oh, sorry, forget to say : both was in same vlan when it doesn't ping. 
>>>
>>> Also, if I don't configure any vlan, and enable filtering, it doesn't work. 
>>>
>>> Maybe it doesn't work with tap interfaces ? Need to ask to the kernel mailing. 
>>
>> I just added the patch from Stefan and compiled and uploaded a new kernel package. 
>> Please can you test if that helps? 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>

More information about the pve-devel mailing list