[pve-devel] [PATCH] support QinQ / vlan stacking

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Mar 11 08:17:35 CET 2015


Am 03.03.2015 um 13:50 schrieb Stefan Priebe - Profihost AG:
> 
> Am 03.03.2015 um 13:42 schrieb Dietmar Maurer:
>>> Sure but a VM attached to a bridge should not see per default tagged
>>> frames. It should only see unttaged frames until we allow to see it
>>> tagged Frames from different VLANs.
>>
>> Why? AFAIK this is the default behavior from the beginning.
> 
> I think it's better to be more secure by default. Also i know no switch
> nor vendor who does it this way.
> 
> Normally you won't see tagged traffic on a port by default. So most
> users are not used to this behaviour? No?


Just for the record.

Kernel 2.6.32 does not have this problem as it does not forward tagged
frames in bridges.

With Kernel 3.10 this behaviour changes to people building their
security based on the behaviour of 2.6.32. They get unsecure by changing
the kernel.

This is "solved" by alexancre ebtables patches as well as you can
control which type of packets can pass through to the tap device. So as
long as you do not enable VLAN frames they get blocked by ebtables.

So another reason to include those.

Greets,
Stefan



More information about the pve-devel mailing list