headers
Mark Zipp | 1 Jun 2006 02:40
Picon

Re: Problem bridging frames with bridge and real interface MTU > 1527

Hi Stephen,

On 24/05/06, Stephen Hemminger <shemminger <at> osdl.org> wrote:
<snip>

> > Thanks for your help,
> > Mark.
> The problem (as I remember it) was often with ip_conntrack. It
> reassembles fragmented
> IP packets to look at them, then didn't fragment on output.
>

Strange thing was that even after I was able to successfully do 2024
byte pings through the bridge, with and without iptables connection
tracking rules in place, I still encountered the problem with the
oversized IP/GRE traffic that I'm trying to capture. What I think is
also interesting is that even though when I set the MTUs on the
ethernet interfaces and the bridge to 1527, not only does it all work,
the bridge is also forwarding frames that have a 1528 byte MTU (IP +
GRE + original 1500 byte IP packet), which I think should make the
bridge drop the frames as too large, yet setting the MTU 1528 on the
bridge and interfaces makes it fail.

Maybe it is the different ways IP connection tracking treats ICMP /
Ping traffice verses IP/GRE traffic that is causing the issue.

I've got some more testing to do again, this time around I'll try the
2024 byte MTU on the bridge, and a blind iptables permit all to and
from the bridge interfaces, which should hopefully eliminate ip
connection tracking from the equation, therefore identifying it as the
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jim Lloyd | 1 Jun 2006 04:10
Picon

Minimal transparent bridge

Hi folks,

I have some ambitious plans to set up a Fedora Core 5 node as a  
transparent bridge between my host's gateway and the remainder of a  
rack of nodes colocated at the host that I share with some friends.  
I've had a hard time getting this working. I seem to be stuck at a  
pretty basic level, so I am hoping there is something obvious someone  
can point out for me. For example, I just noticed one warning against  
using 2.6 kernels. Is that still true, even for the most current 2.6  
kernels (2.6.16.1)?

I'd like to start with a very simple question: what is the minimal  
steps to set up a server with two ethernet interfaces (eth0 and eth1)  
as a transparent bridge?

I'm following the Nils Radtke's how-to here:
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html

Assume I have a 3 node network:

L:eth0 <-> eth0:B:eth1 <-> eth0:R

B is my bridge. L and R are nodes on the same subnet that can ping  
each other if the bridge is replace by a hub.

 From what I know so far, I thought the following steps on the bridge  
should be enough:

1) remove all iptable rules.
2) do the following
(Continue reading)

Permalink | Reply | 4 comments |
headers
Joshua Kwan | 1 Jun 2006 05:38

Bridging a wireless/wired LAN and a PPPoE connection

Hi all,

I'm trying out bridging for my wireless and wired LAN, so that they can
both use my PPPoE connection. Here's the network structure, pretty easy:

darjeeling (192.168.1.7)                    ringo (192.168.1.3)
(mtu 1500)                                       (mtu 1500)
\                                                    /
 \   wlan0      <--br0 (mtu 1500)-->      eth1      /
  -- 802.11 --- influx (192.168.1.1) --- Ethernet --
 /  (mtu 1500)          |                (mtu 1500) \
...                    eth0                         ...
                    (mtu 1500)
                        |
                        v
                  ppp0 (mtu 1492)
                        |
                        v
                  (( Internet ))

My problem is that certain websites are inaccessible from darjeeling and
ringo if I don't set the MTU to 1492 on each client. Changing the MTU to
1492 on eth0 just fubars my PPP connection.

Alternatively, setting up a HTTP proxy on br0 works as well, and is the
solution I'm using for my clients at home right now.

Could somebody explain to me what is going on? What I would prefer to do
is use a solution that doesn't require me to use the proxy or change
everyone's MTU to 1492.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Stephen Hemminger | 2 Jun 2006 19:03

Re: Problem bridging frames with bridge and real interface MTU > 1527

On Thu, 1 Jun 2006 10:10:28 +0930
"Mark Zipp" <mark.r.zipp <at> gmail.com> wrote:

> Hi Stephen,
> 
> 
> On 24/05/06, Stephen Hemminger <shemminger <at> osdl.org> wrote:
> <snip>
> 
> > > Thanks for your help,
> > > Mark.
> > The problem (as I remember it) was often with ip_conntrack. It
> > reassembles fragmented
> > IP packets to look at them, then didn't fragment on output.
> >
> 
> Strange thing was that even after I was able to successfully do 2024
> byte pings through the bridge, with and without iptables connection
> tracking rules in place, I still encountered the problem with the
> oversized IP/GRE traffic that I'm trying to capture. What I think is
> also interesting is that even though when I set the MTUs on the
> ethernet interfaces and the bridge to 1527, not only does it all work,
> the bridge is also forwarding frames that have a 1528 byte MTU (IP +
> GRE + original 1500 byte IP packet), which I think should make the
> bridge drop the frames as too large, yet setting the MTU 1528 on the
> bridge and interfaces makes it fail.
> 
> Maybe it is the different ways IP connection tracking treats ICMP /
> Ping traffice verses IP/GRE traffic that is causing the issue.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jim Lloyd | 2 Jun 2006 19:28
Picon

Re: Minimal transparent bridge

Hello again,

I didn't see any response to my questions below. Can someone at least  
confirm or deny that bridging is still broken (or not) with 2.6 kernels?

Thanks in advance,
Jim Lloyd

On May 31, 2006, at 7:10 PM, Jim Lloyd wrote:

> Hi folks,
>
> I have some ambitious plans to set up a Fedora Core 5 node as a
> transparent bridge between my host's gateway and the remainder of a
> rack of nodes colocated at the host that I share with some friends.
> I've had a hard time getting this working. I seem to be stuck at a
> pretty basic level, so I am hoping there is something obvious someone
> can point out for me. For example, I just noticed one warning against
> using 2.6 kernels. Is that still true, even for the most current 2.6
> kernels (2.6.16.1)?
>
> I'd like to start with a very simple question: what is the minimal
> steps to set up a server with two ethernet interfaces (eth0 and eth1)
> as a transparent bridge?
>
> I'm following the Nils Radtke's how-to here:
> http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html
>
> Assume I have a 3 node network:
>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Stephen Hemminger | 2 Jun 2006 19:43

Re: Minimal transparent bridge

On Fri, 2 Jun 2006 10:28:21 -0700
Jim Lloyd <jim.lloyd <at> mac.com> wrote:

> Hello again,
> 
> I didn't see any response to my questions below. Can someone at least  
> confirm or deny that bridging is still broken (or not) with 2.6 kernels?
> 
> Thanks in advance,
> Jim Lloyd

As far as I know, its not broken in any recent 2.6 version.
Current documentation is at
	http://linux-net.osdl.org/index.php/Bridge

Don't trust hearsay.
Permalink | Reply | 2 comments |
headers
Stephen Hemminger | 2 Jun 2006 20:07

Re: Bridging a wireless/wired LAN and a PPPoE connection

On Wed, 31 May 2006 20:38:20 -0700
Joshua Kwan <joshk <at> triplehelix.org> wrote:

> Hi all,
> 
> I'm trying out bridging for my wireless and wired LAN, so that they can
> both use my PPPoE connection. Here's the network structure, pretty easy:
> 
> darjeeling (192.168.1.7)                    ringo (192.168.1.3)
> (mtu 1500)                                       (mtu 1500)
> \                                                    /
>  \   wlan0      <--br0 (mtu 1500)-->      eth1      /
>   -- 802.11 --- influx (192.168.1.1) --- Ethernet --
>  /  (mtu 1500)          |                (mtu 1500) \
> ...                    eth0                         ...
>                     (mtu 1500)
>                         |
>                         v
>                   ppp0 (mtu 1492)
>                         |
>                         v
>                   (( Internet ))
> 
> My problem is that certain websites are inaccessible from darjeeling and
> ringo if I don't set the MTU to 1492 on each client. Changing the MTU to
> 1492 on eth0 just fubars my PPP connection.
> 
> Alternatively, setting up a HTTP proxy on br0 works as well, and is the
> solution I'm using for my clients at home right now.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jim Lloyd | 2 Jun 2006 21:15
Picon

Re: Minimal transparent bridge

Hi Stephen,

Thanks, I'm familiar with your wiki, which has high quality content,  
albeit a little light on quantity. :)

My original email asked what is the minimal steps to make a working  
bridge for two links with identical network configurations. I think  
this would be an excellent addition to the wiki. I'd volunteeer to  
make the first pass at that, but so far I'm failing to achieve it  
with the hardware+os platforms I have available to me. It seems like  
it should be simple enough, and my initial reaction was to ignore the  
hearsay, but when after trying several things still didn't have  
success, I had to be able to rule out the hearsay.

Jim

On Jun 2, 2006, at 10:43 AM, Stephen Hemminger wrote:

> On Fri, 2 Jun 2006 10:28:21 -0700
> Jim Lloyd <jim.lloyd <at> mac.com> wrote:
>
>> Hello again,
>>
>> I didn't see any response to my questions below. Can someone at least
>> confirm or deny that bridging is still broken (or not) with 2.6  
>> kernels?
>>
>> Thanks in advance,
>> Jim Lloyd
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Stephen Hemminger | 2 Jun 2006 21:29

Re: Minimal transparent bridge

On Fri, 2 Jun 2006 12:15:29 -0700
Jim Lloyd <jim.lloyd <at> mac.com> wrote:

> Hi Stephen,
> 
> Thanks, I'm familiar with your wiki, which has high quality content,  
> albeit a little light on quantity. :)
> 
> My original email asked what is the minimal steps to make a working  
> bridge for two links with identical network configurations. I think  
> this would be an excellent addition to the wiki. I'd volunteeer to  
> make the first pass at that, but so far I'm failing to achieve it  
> with the hardware+os platforms I have available to me. It seems like  
> it should be simple enough, and my initial reaction was to ignore the  
> hearsay, but when after trying several things still didn't have  
> success, I had to be able to rule out the hearsay.

Go ahead, make edits.  It can always be fixed later or reverted.
Permalink | Reply | 0 comments |
headers
Kunszt Árpád | 11 Jun 2006 22:37
Picon
Favicon

802.1Q tagging

	Hi!

I'm new on the list and I'm Hungarian so please forgive my terribly bad
English.
First greetings to all.
I want to create a Linux box which will be act as a rate limiter ( with
tc ) and an IP<->MAC checker ( now iptables on br0 ).
I have three interfaces. Two Gigabits ( eth1 and eth2 ) and 100Mbps (
eth0 ) for management. On the eth1 and eth2 there are approx 60 802.1Q
tagged VLANs so I don't want to create one bridge for every single VLAN.
I want to use one bridge. This is br0.
I set up iptables it's mainly stands lines like -A <chain> -m mac
--mac-source <...> -s <...> -j ACCEPT then DROP without -m mac stuff.
Then I set up tc on eth1 and eth2 using HTB, PRIO and SFQ. The
classifier was U32.
The bridge and the iptables worked ( the counters increased ) . I can
arping from a machine from the eth1 interface to another machine on the
eth2 interface. The tc didn't worked, the classifer didn't matched any
packet ( I used ip dst addr/32 ). I thought this is because the 4 byte
802.1Q header.
I tried to correct this but suddenly the bridge was stopped. ( There
wasn't outgoing traffic on one interface. Only one, the second was okay. )
I'm using Gentoo with 2.6.16-gentoo-r9 kernel.
Did I something wrong? Is this configuration/idea good? Or is there any
fundamental errors? Expected somebody this symptoms?
Any helps or ideas are welcome.
Thanks,

Arpad
(Continue reading)

Permalink | Reply | 0 comments |

Gmane