On 8/27/15 16:27 , Dirk Steinberg wrote: > Does anyone have a clue why the VLAN tags get stripped and > how this can be fixed?
Hi, I think I can fill in a bunch of the details here. First, a bit of history. In general, SmartOS has only ever supported treating the KVM guest as though it's in access mode, eg. the VLAN tag is always added and stripped on the way in of the VM and tagged on the way out of the VM. This was always done to make it easy for the configuration of the guest and because of what we traditionally required on the cloud. It's been a while since I looked at the old code paths, but they were always supposed to be stripping it. There may be some odd set of paths where combined with the unfiltered promiscuous where they weren't being stripped and added. Now, with the change to bardiche, we do strip the tag ourselves in bardiche; however, it's added by the other parts of the stack. Now, we've talked about what we'd like to do here. It's a series of a few steps. 1) We'd like to add a new form of mac protection that's basically VLAN antispoofing. In other words, you can add a list of allowed VLANs that you're allowed to send. 2) We'd want to add a new option to vnd that basically allows us to toggle between one of three modes: 1) access mode - the current default 2) tagged mode - a mode where we don't manipulate the tags, but don't allow untagged frames 3) mixed mode - a combination of the two, where untagged frames will be tagged with a specific VLAN, but the rest won't After we added that to vnd, we'd plumb it through in vmadm. If someone is interested in working on this, I'd be happy to help give them more details. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
