[pve-devel] Port BR_GROUPFWD_RESTRICTED patch for Layer 1-esque Linux Bridge forwarding

Jesus Llorente jesus.llorente at gmail.com
Mon Aug 27 22:15:46 CEST 2018


Hi,

First of all, thank you all for your comments and engaging into this
discussion.

I do agree that creating a Linux bridge for each point-to-point connection
is perhaps not the cleanest approach, however it does provide by nature
with tapping capabilities, which is great for debugging and educational
purposes. As I mentioned before, the aim was to virtualize several network
appliances in order to build a lab environment, self-contained in the same
host.

On the other hand, I cannot agree with the statement of the author on the
link that Thomas posted before, "we don't let people do things that break
networks". That's the beauty of it, Linux is flexible and versatile and
allows us doing pretty much everything. Besides, it's not like we are
breaking 802.3ad compatibility by default, we would be only allowing
creating a layer-1 connection which won't happen by accident.

UDP tunneling could work, but it's harder to take a tcpdump capture and
analyze the traffic. I will experiment with this as a temporary work around.

Macvlan cannot work, because it will only receive traffic addressed for its
specific MAC address, which limits the scope of the network appliance to
routers mostly, since switches will have to bridge L2 frames.

As a summary, I don't see a big issue porting the patch Thomas mentioned (
https://lists.linuxfoundation.org/pipermail/bridge/2015-January/009292.html),
as it will be network administrator controlled anyway. It would be
interesting to see the feel of the community around this, taking into
consideration the educational perspective.

Best,
Jesus


On Sun, Aug 26, 2018 at 12:28 PM Alexandre DERUMIER <aderumier at odiso.com>
wrote:

> Hi,
>
> my 2 cents, but maybe it could work with macvtap/macvlan ?
>
> https://suhu0426.github.io/Web/Presentation/20150203/index.html
>
>
> or maybe simply with pci-passthrough (with srv-io) of physical interface
> inside the vms.
>
>
>
> ----- Mail original -----
> De: "Jesus Llorente" <jesus.llorente at gmail.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Vendredi 24 Août 2018 09:00:52
> Objet: [pve-devel] Port BR_GROUPFWD_RESTRICTED patch for Layer 1-esque
> Linux Bridge forwarding
>
> Hello,
>
> I am working on a scenario that uses virtual machines to run a switch
> appliance. The aim of my test is not performance, but to test different
> configurations and network models. However, I have stumbled upon something
> that depends on the kernel which is making Linux bridges consume link
> local
> multicast packets (LLDP, LACP, etc) in compliance with 802.3ad
>
> In this patch
> https://lists.linuxfoundation.org/pipermail/bridge/2015-January/009291.html
> they removed a hard-coded restriction so that the behavior of the bridge
> can be then controlled from the OS with the variable
> /sys/class/net/$brname/bridge/group_fwd_mask
>
> In this post, the author explains the different values this variable can
> take, according to what we are trying to allow/restrict.
>
> https://interestingtraffic.nl/2017/11/21/an-oddly-specific-post-about-group_fwd_mask
>
> I would like to suggest porting this patch to the pve kernel to remove all
> the restrictions and enable full transparent bridging (point-to-point like
> links) across devices, in a Layer 1 fashion.
>
> PS: Thank you for your amazing work!!
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>



More information about the pve-devel mailing list