[pve-devel] [PATCH] support QinQ / vlan stacking

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Mar 11 09:46:42 CET 2015


Am 11.03.2015 um 09:10 schrieb Dietmar Maurer:
>> Just for the record.
>>
>> Kernel 2.6.32 does not have this problem as it does not forward tagged
>> frames in bridges.
>>
>> With Kernel 3.10 this behaviour changes to people building their
>> security based on the behaviour of 2.6.32. They get unsecure by changing
>> the kernel.
> 
> Interesting. Do you know which patch changed that behavior? And is there a way
> to 
> switch back to the old behavior?
> 

It's the vlan support and vlan filtering series.

For example:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/bridge?id=8580e2117c06ac0c97a561219eaab6dab968ea3f

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/bridge?id=204177f3f30c2dbd2db0aa62b5e9cf9029786450

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/bridge?id=0d5501c1c828fb97d02af50aa9d2b1a5498b94e4

and may be others.

The old behaviour can be restored by enabling vlan_filtering on the bridge.

Stefan



More information about the pve-devel mailing list