Hello [EMAIL PROTECTED] and Lennert,
Preamble -------- Report of my test as I promised in Message-ID: <[EMAIL PROTECTED]> of this mailing list. In that case I tried to bind VLAN to the bridge interface. Now it is another way - first is to setup VLANs on physical ethernet interfaces, then establish virtual bridge on VLAN interfaces. Test Aim: --------- To establish multiple bridges per VLAN (virtual bridges) over trunked channel with one bridge for untagged (non-802.1Q) Ethernet frames, and to check if iptables applied for each bridge interface separately. Initial conditions: ------------------- There are 2 VLANs in trunked channel - 169 and 170 (it's may be any numbers from 2 to 4095, I set those just for simplification as class C IP network numbers, for 192.168.169.0/24 and 192.168.170.0/24). Also untagged frames present. VLAN No.1 is not recommended for test purposes. The circuit of the stand (2)----(1)----[1](3)[11|12]----(4) Circuit legend: --------------- (1). Linux box in bridge mode (Kernel 2.4.18, bridge-nf-0.0.7-against-2.4.18.diff) eth0: Intel Corp. 82557 [Ethernet Pro 100] eth1: Intel Corp. 82557 [Ethernet Pro 100] (#2) ip_tables: (C) 2000-2002 Netfilter core team NET4: Ethernet Bridge 008 for NET4.0 Bridge firewalling registered 802.1Q VLAN Support v1.6 Ben Greear <[EMAIL PROTECTED]> (2). Another Linux box as standalone host with one eth0 and two VLAN interfaces (One Intel eepro100 NIC, Kernel 2.4.19pre8, 802.1Q VLAN Support v1.7) vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add eth0 169 vconfig add eth0 170 ifconfig eth0.169 192.168.169.1 netmask 255.255.255.0 up ifconfig eth0.170 192.168.170.1 netmask 255.255.255.0 up (3). Cisco Catalyst 3512XL (interfaces 1,11,12 used) no spanning-tree vlan 1 no spanning-tree vlan 169 no spanning-tree vlan 170 interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,169,170 switchport mode trunk interface FastEthernet0/11 switchport access vlan 170 interface FastEthernet0/12 switchport access vlan 169 (4). Cisco Router 805 series interface Ethernet0 ip address 192.168.170.2 255.255.255.0 secondary ip address 192.168.169.2 255.255.255.0 Test sequence: -------------- (2),(3) and (4) are initially configured. (1) booted up with no any network settings, eth0 and eth1 not configured and has down state. Now I setup two VLANs (169,170), after them two "virtual bridges" per each VLAN. (1) Setup script: vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add eth0 169 vconfig add eth1 169 vconfig set_flag eth0.169 1 vconfig add eth0 170 vconfig add eth1 170 vconfig set_flag eth0.170 1 brctl addbr br1.169 brctl addif br1.169 eth0.169 brctl addif br1.169 eth1.169 brctl stp br1.169 off brctl addbr br1.170 brctl addif br1.170 eth0.170 brctl addif br1.170 eth1.170 brctl stp br1.170 off ifconfig eth0 up ifconfig eth1 up ifconfig eth0.169 up ifconfig eth1.169 up ifconfig br1.169 up ifconfig eth0.170 up ifconfig eth1.170 up ifconfig br1.169 up (1) End of setup script. (1) brctl show bridge name bridge id STP enabled interfaces br1.169 8000.00a0c98cf63f no eth0.169 eth1.169 br1.170 8000.00a0c98cf63f no eth0.170 eth1.170 Virtual bridges setup complete. Let's check them now. (3)[11]<---(4) (2) ping 192.168.170.2 PING 192.168.170.2 (192.168.170.2) from 192.168.170.1 : 56(84) bytes of data. ... --- 192.168.170.2 ping statistics --- 20 packets transmitted, 20 packets received, 0% packet loss (1) tcpdump -n -i eth0.170 16:46:59.080152 192.168.170.1 > 192.168.170.2: icmp: echo request (DF) 16:46:59.081985 192.168.170.2 > 192.168.170.1: icmp: echo reply (DF) ... Same is showed for VLAN 169 when (3)[12]<---(4) Tcpdump is showing "stripped" frames, because REORDER_HDR flag for VLAN interface was set to 1 (see also vconfig usage). This means when "virtual bridge" is working properly! Now I just check packet matching by iptables on (1). (1)iptables -F (1)iptables -I FORWARD -p icmp -i br1.169 -j ACCEPT (1)iptables -I FORWARD -p icmp -i br1.170 -j ACCEPT (1)iptables -vL Chain INPUT (policy ACCEPT 6412 packets, 1681K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 172 14448 ACCEPT icmp -- br1.170 any anywhere anywhere 122 10728 ACCEPT icmp -- br1.169 any anywhere anywhere Chain OUTPUT (policy ACCEPT 6856 packets, 855K bytes) pkts bytes target prot opt in out source destination The pings still going on, and I can see when icmp packets matched! Interest detail: No any packets showed in FORWARD chain line, but many packets showed in INPUT and OUTPUT chains lines. But at this time there are some amount of matched packets per each rule into FORWARD chain. It's time to set up bridge for untagged traffic. On (1) added next commands: brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 .. at this stage (2)ping has no replies brctl stp br0 off ifconfig br0 up Now "tcpdump -n -i br1.{169,170}" got silence, but "tcpdump -n -i br0" show after bit seconds: 16:42:28.383334 802.1Q vlan#169 P0 arp who-has 192.168.169.2 tell 192.168.169.1 16:42:29.033485 802.1Q vlan#170 P0 192.168.170.1 > 192.168.170.2: icmp: echo request (DF) 16:42:29.035371 802.1Q vlan#170 P0 192.168.170.2 > 192.168.170.1: icmp: echo reply (DF) 16:42:29.383508 802.1Q vlan#169 P0 arp who-has 192.168.169.2 tell 192.168.169.1 16:42:34.034347 802.1Q vlan#170 P0 192.168.170.1 > 192.168.170.2: icmp: echo request (DF) 16:42:34.036229 802.1Q vlan#170 P0 192.168.170.2 > 192.168.170.1: icmp: echo reply (DF) (1) iptables -I FORWARD -p icmp -i br0 -j ACCEPT Waiting bit seconds and (1) iptables -vL ... Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 icmp -- br0 any anywhere anywhere 172 14448 ACCEPT icmp -- br1.170 any anywhere anywhere 122 10728 ACCEPT icmp -- br1.169 any anywhere anywhere ... iptables got no any incremented packet counters per each rule, and stable zero in the rule for br0 interface. This means that iptables should process tagged frames on br0, but not able to do it. When I stop br0: ifconfig br0 down brctl delbr br0 then "tcpdump -n -i br1.{169|170}" and iptables repeat packet matching. Result: ------- Today it is possible to build separated devices with iptables for a) 802.1Q-based bridges ("Virtual Bridges") b) non-802.1Q-based bridges. but not together. -- Best regards, Nick Fedchik FNM3-RIPE mailto:[EMAIL PROTECTED] Senior Engineer/Internet Dept./UkrSat ISP Kiev, Ukraine _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
